Impact
Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync
functionality.
Patches
Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
Workarounds
Server administrators can disable federation from untrusted servers.
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.
Impact
Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's
/sync
functionality.Patches
Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
Workarounds
Server administrators can disable federation from untrusted servers.
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.