Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-21273

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary.

Published

2021-02-26T18:15:12.143

Last Modified

2024-11-21T05:47:54.387

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.1 (LOW)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

4.9

Weaknesses

Type: Secondary
CWE-601
Type: Primary
CWE-601

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	matrix	synapse	< 1.25.0	Yes
Operating System	fedoraproject	fedora	34	Yes

References

https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746 Patch, Third Party Advisory ([email protected])
https://github.com/matrix-org/synapse/pull/8821 Patch, Third Party Advisory ([email protected])
https://github.com/matrix-org/synapse/releases/tag/v1.25.0 Third Party Advisory ([email protected])
https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p Patch, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/ ([email protected])
https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/matrix-org/synapse/pull/8821 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/matrix-org/synapse/releases/tag/v1.25.0 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/ (af854a3a-2127-422b-91ae-364da2661108)