CVE-2024-52805

high

Description

Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.

References

https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609

https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518

https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2

Details

Source: Mitre, NVD

Published: 2024-12-03

Updated: 2024-12-03

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

CVSS v4

Base Score: 8.2

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Severity: High