Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-JJ53-8FMW-F2W2
HistorySep 01, 2021 - 6:25 p.m.

Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.

2021-09-0118:25:44
CWE-200
GitHub Advisory Database
github.com
13

0.001 Low

EPSS

Percentile

49.5%

JSON

Impact

Unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where:

  • the vulnerable homeserver is in the room; and
  • untrusted users are permitted to create groups (communities).

By default, only homeserver administrators can create groups. However, homeserver administrators can already access this information in the database or using the admin API. As a result, only homeservers where the configuration setting enable_group_creation has been set to true are impacted.

Patches

Server administrators should upgrade to 1.41.1 or higher.

Workarounds

Server administrators can set enable_group_creation to false in their homeserver configuration (this is the default value) to prevent creation of groups by non-administrators.

Administrators that are using a reverse proxy could, with partial loss of group functionality, block the following endpoints:

  • /_matrix/client/r0/groups/{group_id}/rooms
  • /_matrix/client/unstable/groups/{group_id}/rooms

References

n/a

For more information

If you have any questions or comments about this advisory, e-mail us at [email protected].

CPENameOperatorVersion
matrix-synapselt1.41.1

Related

prion 1
veracode 1
cnvd 1
osv 3
ubuntucve 1
alpinelinux 1
cvelist 1
cve 1
debiancve 1
fedora 2
nessus 1
openvas 2
freebsd 1
prion
prion
Design/Logic Flaw
2021-08-31 16:15:00
veracode
veracode
Privilege Escalation
2021-09-01 03:33:36
cnvd
cnvd
Matrix Information Disclosure Vulnerability (CNVD-2021-70122)
2021-09-02 00:00:00
osv
osv
Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.
2021-09-01 18:25:44
PYSEC-2021-424
2021-08-31 16:15:00
CVE-2021-39163
2021-08-31 16:15:07
ubuntucve
ubuntucve
CVE-2021-39163
2021-08-31 00:00:00
alpinelinux
alpinelinux
CVE-2021-39163
2021-08-31 16:15:07
cvelist
cvelist
CVE-2021-39163 Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.
2021-08-31 16:00:11
cve
cve
CVE-2021-39163
2021-08-31 16:15:07
debiancve
debiancve
CVE-2021-39163
2021-08-31 16:15:07
fedora
fedora
[SECURITY] Fedora 34 Update: matrix-synapse-1.41.1-1.fc34
2021-09-08 15:07:22
[SECURITY] Fedora 35 Update: matrix-synapse-1.41.1-1.fc35
2021-09-24 20:41:56
nessus
nessus
FreeBSD : py-matrix-synapse -- several vulnerabilities (a67e358c-0bf6-11ec-875e-901b0e9408dc)
2021-09-07 00:00:00
openvas
openvas
Fedora: Security Advisory for matrix-synapse (FEDORA-2021-2e8ed15b14)
2021-09-09 00:00:00
Fedora: Security Advisory for matrix-synapse (FEDORA-2021-f12fdca1bf)
2021-10-02 00:00:00
freebsd
freebsd
py-matrix-synapse -- several vulnerabilities
2021-08-31 00:00:00

0.001 Low

EPSS

Percentile

49.5%

JSON
Related for GHSA-JJ53-8FMW-F2W2
prion1veracode1cnvd1osv3ubuntucve1alpinelinux1cvelist1cve1debiancve1fedora2nessus1openvas2freebsd1