rpm package
opensuse/matrix-synapse&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/matrix-synapse&distro=openSUSE%20Tumbleweed
Vulnerabilities (35)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-45078 | Med | 5.5 | < 1.153.0-2.1 | 1.153.0-2.1 | May 28, 2026 | Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1. | |
| CVE-2026-45076 | Low | 2.7 | < 1.153.0-2.1 | 1.153.0-2.1 | May 28, 2026 | Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room histor | |
| CVE-2026-24044 | Cri | — | < 1.147.1-1.1 | 1.147.1-1.1 | Feb 12, 2026 | Element Server Suite Community Edition (ESS Community) deploys a Matrix stack using the provided Helm charts and Kubernetes distribution. The ESS Community Helm Chart secrets initialization hook (using matrix-tools container before 0.5.7) is using an insecure Matrix server key ge | |
| CVE-2025-61672 | Med | — | < 1.139.1-1.1 | 1.139.1-1.1 | Oct 8, 2025 | Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to | |
| CVE-2025-49090 | Hig | 7.1 | < 1.136.0-1.1 | 1.136.0-1.1 | Oct 2, 2025 | The Matrix specification before 1.16 (i.e., with a room version before 12 and State Resolution before 2.1) has deficient state resolution. | |
| CVE-2025-8714 | Hig | 8.8 | < 1.137.0-1.1 | 1.137.0-1.1 | Aug 14, 2025 | Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. | |
| CVE-2025-30355 | — | < 1.127.1-1.1 | 1.127.1-1.1 | Mar 27, 2025 | Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. | ||
| CVE-2024-53867 | Med | 4.3 | < 1.120.2-1.1 | 1.120.2-1.1 | Dec 3, 2024 | Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1. | |
| CVE-2024-37303 | — | < 1.120.2-1.1 | 1.120.2-1.1 | Dec 3, 2024 | Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for | ||
| CVE-2024-37302 | — | < 1.120.2-1.1 | 1.120.2-1.1 | Dec 3, 2024 | Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate | ||
| CVE-2024-52805 | — | < 1.120.2-1.1 | 1.120.2-1.1 | Dec 3, 2024 | Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. | ||
| CVE-2024-52815 | — | < 1.120.2-1.1 | 1.120.2-1.1 | Dec 3, 2024 | Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1 | ||
| CVE-2024-53863 | — | < 1.120.2-1.1 | 1.120.2-1.1 | Dec 3, 2024 | Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools lik | ||
| CVE-2024-41671 | Hig | 8.3 | < 1.112.0-1.1 | 1.112.0-1.1 | Jul 29, 2024 | Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1. | |
| CVE-2024-31208 | — | < 1.105.1-1.1 | 1.105.1-1.1 | Apr 23, 2024 | Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption an | ||
| CVE-2023-43796 | — | < 1.95.1-1.1 | 1.95.1-1.1 | Oct 31, 2023 | Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Syna | ||
| CVE-2023-45129 | — | < 1.94.0-2.1 | 1.94.0-2.1 | Oct 10, 2023 | Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed fede | ||
| CVE-2023-41335 | — | < 1.93.0-1.1 | 1.93.0-1.1 | Sep 26, 2023 | Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the use | ||
| CVE-2023-42453 | — | < 1.93.0-1.1 | 1.93.0-1.1 | Sep 26, 2023 | Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This co | ||
| CVE-2023-4863 | — | KEV | < 1.93.0-1.1 | 1.93.0-1.1 | Sep 12, 2023 | Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical) |
- affected < 1.153.0-2.1fixed 1.153.0-2.1
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.
- affected < 1.153.0-2.1fixed 1.153.0-2.1
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room histor
- affected < 1.147.1-1.1fixed 1.147.1-1.1
Element Server Suite Community Edition (ESS Community) deploys a Matrix stack using the provided Helm charts and Kubernetes distribution. The ESS Community Helm Chart secrets initialization hook (using matrix-tools container before 0.5.7) is using an insecure Matrix server key ge
- affected < 1.139.1-1.1fixed 1.139.1-1.1
Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to
- affected < 1.136.0-1.1fixed 1.136.0-1.1
The Matrix specification before 1.16 (i.e., with a room version before 12 and State Resolution before 2.1) has deficient state resolution.
- affected < 1.137.0-1.1fixed 1.137.0-1.1
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected.
- CVE-2025-30355Mar 27, 2025affected < 1.127.1-1.1fixed 1.127.1-1.1
Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1.
- affected < 1.120.2-1.1fixed 1.120.2-1.1
Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.
- CVE-2024-37303Dec 3, 2024affected < 1.120.2-1.1fixed 1.120.2-1.1
Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for
- CVE-2024-37302Dec 3, 2024affected < 1.120.2-1.1fixed 1.120.2-1.1
Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate
- CVE-2024-52805Dec 3, 2024affected < 1.120.2-1.1fixed 1.120.2-1.1
Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks.
- CVE-2024-52815Dec 3, 2024affected < 1.120.2-1.1fixed 1.120.2-1.1
Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1
- CVE-2024-53863Dec 3, 2024affected < 1.120.2-1.1fixed 1.120.2-1.1
Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools lik
- affected < 1.112.0-1.1fixed 1.112.0-1.1
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1.
- CVE-2024-31208Apr 23, 2024affected < 1.105.1-1.1fixed 1.105.1-1.1
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption an
- CVE-2023-43796Oct 31, 2023affected < 1.95.1-1.1fixed 1.95.1-1.1
Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Syna
- CVE-2023-45129Oct 10, 2023affected < 1.94.0-2.1fixed 1.94.0-2.1
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed fede
- CVE-2023-41335Sep 26, 2023affected < 1.93.0-1.1fixed 1.93.0-1.1
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the use
- CVE-2023-42453Sep 26, 2023affected < 1.93.0-1.1fixed 1.93.0-1.1
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This co
- affected < 1.93.0-1.1fixed 1.93.0-1.1
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
Page 1 of 2