CVE-2023-32323
Publication date 26 May 2023
Last updated 11 April 2025
Ubuntu priority
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| matrix-synapse | ||
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy | Ignored patch infeasible | |
| 20.04 LTS focal | Ignored patch infeasible | |
| 18.04 LTS bionic | Ignored patch infeasible | |
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support |
Notes
john-breton
1k+ monster of a patch that doesn't apply cleanly to jammy and below. Extracting the necessary fixes is possible in theory, but would require substantial effort to get to work and would be very likely to introduce regressions.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
4.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |