HIGH

GHSA-f3r3-h2mq-hx2h

Synapse allows a a malformed invite to break the invitee's `/sync`

Details

### Impact

Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's `/sync` functionality.

### Patches

Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.

### Workarounds

Server administrators can disable federation from untrusted servers.

### For more information

If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / matrix-synapse

Introduced in: 0 Fixed in: 1.120.1

Fix pip install --upgrade 'matrix-synapse>=1.120.1'

References

https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-52815 [ADVISORY]
https://github.com/element-hq/synapse [PACKAGE]