Miggo Logo
Miggo Vulnerability Database
CVE-2023-45129

CVE-2023-45129: matrix-synapse vulnerable to denial of service due to malicious server ACL events

4.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-45129
GHSA ID
GHSA-5chr-wjw5-3gq4
EPSS Score
0.48488%
CWE
CWE-770
Published
10/10/2023
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
matrix-synapsepip< 1.94.01.94.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the original server ACL checking implementation in server_matches_acl_event, which processed allow/deny lists by converting glob patterns to regexes on every check. The commit f84da3c introduced caching and Rust-based pre-compilation, indicating the previous implementation lacked throttling/caching. The function was removed in the patch and replaced with a cached evaluator, confirming it was the source of the resource allocation vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * m*li*ious s*rv*r **L *v*nt **n imp**t p*r*orm*n** t*mpor*rily or p*rm*n*ntly l***in* to * p*rsist*nt **ni*l o* s*rvi**. *om*s*rv*rs runnin* on * *los** ****r*tion (w*i** pr*sum**ly *o not n*** to us* s*rv*r **Ls) *r* not *****t**. ###

Reasoning

T** vuln*r**ility st*ms *rom t** ori*in*l s*rv*r **L ****kin* impl*m*nt*tion in s*rv*r_m*t***s_**l_*v*nt, w*i** pro**ss** *llow/**ny lists *y *onv*rtin* *lo* p*tt*rns to r***x*s on *v*ry ****k. T** *ommit ******* intro*u*** ****in* *n* Rust-**s** pr*