Lucene search

[email protected]CVE-2021-21393

HistoryApr 12, 2021 - 10:15 p.m.

CVE-2021-21393

2021-04-1222:15:13

CWE-20

[email protected]

web.nvd.nist.gov

synapse

matrix

homeserver

input validation

resource exhaustion

security advisory

vulnerability

nvd

cve-2021-21393

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.3%

JSON

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.

Affected configurations

Vulners

NVD

Node

matrix-orgsynapseRange<1.28.0

CPENameOperatorVersion
matrix:synapsematrix synapselt1.28.0

CPE	Name	Operator	Version
matrix:synapse	matrix synapse	lt	1.28.0

CNA Affected

[
  {
    "product": "synapse",
    "vendor": "matrix-org",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.28.0"
      }
    ]
  }
]