CVE-2024-52815

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-52815
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52815.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-52815
Aliases
Downstream
Related
Published
2024-12-03T16:58:30.877Z
Modified
2026-04-11T12:47:11.040348Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Synapse allows a a malformed invite to break the invitee's `/sync`
Details

Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52815.json"
}
References

Affected packages

Git / github.com/element-hq/synapse

Affected ranges

Type
GIT
Repo
https://github.com/element-hq/synapse
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
fe3d88b833f76742874642c119b14b788341c905
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.120.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

Other
hhs-1
hhs-2
hhs-3
hhs-5
hhs-6
hhs-7
hhs-8
v0.*
v0.10.0
v0.10.0-r1
v0.10.0-r2
v0.11.0
v0.11.0-r1
v0.11.0-r2
v0.11.1
v0.12.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.16.0
v0.16.1
v0.16.1-r1
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.2.0
v0.2.1
v0.2.1a
v0.2.2
v0.23.0-rc1
v0.23.0-rc2
v0.25.0-rc1
v0.28.0-rc1
v0.3.0
v0.3.3
v0.3.4
v0.32.0
v0.32.0rc1
v0.32.2
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.3a
v0.5.3b
v0.5.3c
v0.5.4
v0.5.4a
v0.6.0
v0.6.0a
v0.6.0b
v0.6.1
v0.6.1a
v0.6.1b
v0.6.1c
v0.6.1d
v0.6.1e
v0.6.1f
v0.7.0
v0.7.0a
v0.7.0b
v0.7.0c
v0.7.0d
v0.7.0e
v0.7.0f
v0.7.1
v0.7.1-r1
v0.7.1-r2
v0.7.1-r3
v0.7.1-r4
v0.8.0
v0.8.1
v0.8.1-r1
v0.8.1-r2
v0.8.1-r3
v0.8.1-r4
v0.9.0
v0.9.0-r1
v0.9.0-r2
v0.9.0-r3
v0.9.0-r4
v0.9.0-r5
v0.9.1
v0.9.2
v0.9.2-r1
v0.9.2-r2
v0.9.3
v0.99.1rc1
v0.99.2rc1
v0.99.4rc1
v0.99.5.1.dev0
v1.*
v1.1.0rc1
v1.1.0rc2
v1.10.0rc1
v1.100.0rc1
v1.100.0rc2
v1.100.0rc3
v1.101.0rc1
v1.103.0rc1
v1.104.0rc1
v1.105.0rc1
v1.106.0rc1
v1.11.0rc1
v1.111.0rc1
v1.112.0rc1
v1.114.0rc1
v1.115.0rc1
v1.116.0rc1
v1.12.0rc1
v1.120.0
v1.120.0rc1
v1.14.0rc1
v1.15.0rc1
v1.16.0rc1
v1.17.0rc1
v1.18.0rc1
v1.23.0rc1
v1.24.0rc1
v1.27.0rc1
v1.29.0rc1
v1.3.0rc1
v1.30.0rc1
v1.31.0rc1
v1.32.0rc1
v1.34.0rc1
v1.35.0rc1
v1.36.0rc1
v1.4.0rc1
v1.40.0rc1
v1.49.0rc1
v1.5.0rc1
v1.52.0rc1
v1.6.0rc1
v1.62.0rc1
v1.63.0rc1
v1.75.0rc1
v1.76.0rc1
v1.78.0rc1
v1.79.0rc1
v1.8.0rc1
v1.81.0rc1
v1.84.0rc1
v1.87.0rc1
v1.88.0rc1
v1.9.0.dev1
v1.9.0.dev2
v1.9.0rc1
v1.90.0rc1
v1.94.0rc1
v1.95.0rc1
v1.98.0rc1
v1.99.0rc1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52815.json"