{"id":"UBUNTU-CVE-2023-32323","details":"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.","modified":"2025-09-08T16:56:19Z","published":"2023-05-26T14:15:00Z","upstream":["CVE-2023-32323"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-32323"},{"type":"REPORT","url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"},{"type":"REPORT","url":"https://github.com/matrix-org/synapse/pull/14642"},{"type":"REPORT","url":"https://github.com/matrix-org/synapse/issues/14492"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-32323"}],"affected":[{"package":{"name":"matrix-synapse","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/matrix-synapse@0.24.0+dfsg-1ubuntu0.1~esm4?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.19.2+dfsg-6","0.24.0+dfsg-1","0.24.0+dfsg-1ubuntu0.1~esm1","0.24.0+dfsg-1ubuntu0.1~esm4"],"ecosystem_specific":{"binaries":[{"binary_version":"0.24.0+dfsg-1ubuntu0.1~esm4","binary_name":"matrix-synapse"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-32323.json"}},{"package":{"name":"matrix-synapse","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/matrix-synapse@1.11.0-1ubuntu0.1~esm2?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.3.0-1","1.4.0-1","1.5.0-1","1.5.1-1","1.6.0-1","1.6.1-1","1.7.0-2","1.7.1-1","1.7.2-1","1.7.3-1","1.8.0-1","1.9.0-1","1.9.1-1","1.10.0-1","1.10.0-2","1.11.0-1","1.11.0-1ubuntu0.1~esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.11.0-1ubuntu0.1~esm2","binary_name":"matrix-synapse"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-32323.json"}},{"package":{"name":"matrix-synapse","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/matrix-synapse@1.53.0-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.39.0-1","1.47.0-2","1.47.1-1","1.48.0-1","1.49.0-1","1.49.2-1","1.50.1-1","1.50.2-1","1.51.0-1","1.52.0-1","1.53.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.53.0-1","binary_name":"matrix-synapse"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-32323.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}]}