Miggo Logo

CVE-2020-26257: Denial of service attack via incorrect parameters in Matrix Synapse

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.62852%
Published
12/9/2020
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
matrix-synapsepip< 1.23.11.23.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from endpoints (/send_join, /send_leave, /invite, /exchange_third_party_invite) trusting room_id from URL path parameters instead of validating against the request body. The fix in PR #8776 shows these functions were modified to use 'room_id' from content via assert_params_in_dict checks. The original implementations' failure to verify path/body consistency allowed attackers to specify conflicting room IDs, leading to state corruption and DoS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * m*li*ious or poorly-impl*m*nt** *om*s*rv*r **n inj**t m*l*orm** *v*nts into * room *y sp**i*yin* * *i***r*nt room i* in t** p*t* o* * `/s*n*_join`, `/s*n*_l**v*`, `/invit*` or `/*x***n**_t*ir*_p*rty_invit*` r*qu*st. T*is **n l*** to *

Reasoning

T** vuln*r**ility st*mm** *rom *n*points (/s*n*_join, /s*n*_l**v*, /invit*, /*x***n**_t*ir*_p*rty_invit*) trustin* room_i* *rom URL p*t* p*r*m*t*rs inst*** o* v*li**tin* ***inst t** r*qu*st *o*y. T** *ix in PR #**** s*ows t**s* *un*tions w*r* mo*i*i*