CVE-2018-10657 – matrix-synapse

Package

Manager: pip
Name: matrix-synapse
Vulnerable Version: >=0 <0.28.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00402 pctl0.60044

Details

Matrix Synapse DoS Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2<sup>63</sup> - 1 render rooms unusable, related to `federation/federation_base.py` and `handlers/message.py`, as exploited in the wild in April 2018.

Metadata

Created: 2022-05-14T03:20:03Z
Modified: 2023-10-06T17:20:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vmcc-4p4x-x7wg/GHSA-vmcc-4p4x-x7wg.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-vmcc-4p4x-x7wg
Finding: F184
Auto approve: 1