Описание
Synapse allows a a malformed invite to break the invitee's /sync
Impact
Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality.
Patches
Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
Workarounds
Server administrators can disable federation from untrusted servers.
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.
Пакеты
matrix-synapse
< 1.120.1
1.120.1
Связанные уязвимости
Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
Synapse is an open-source Matrix homeserver. Synapse versions before 1 ...