Lucene search

[email protected]CVE-2021-21274

HistoryFeb 26, 2021 - 6:15 p.m.

CVE-2021-21274

2021-02-2618:15:12

CWE-400

CWE-770

[email protected]

web.nvd.nist.gov

synapse

matrix

homeserver

python

pypi

cve-2021-21274

security

denial of service

federation

voip

instant messaging

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

6.4 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.8%

JSON

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. Issue is resolved in version 1.25.0. As a workaround the federation_domain_whitelist setting can be used to restrict the homeservers communicated with over federation.

Affected configurations

Vulners

NVD

Node

matrix-orgsynapseRange0.99.0–1.25.0

CPENameOperatorVersion
matrix:synapsematrix synapselt1.25.0

CPE	Name	Operator	Version
matrix:synapse	matrix synapse	lt	1.25.0

CNA Affected

[
  {
    "product": "synapse",
    "vendor": "matrix-org",
    "versions": [
      {
        "status": "affected",
        "version": ">=0.99.0, < 1.25.0"
      }
    ]
  }
]