Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints

2021-04-1315:12:51

Google

osv.dev

0.002 Low

EPSS

Percentile

57.3%

JSON

Impact

Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.

Patches

The issue is fixed by #9321.

Workarounds

Depending on the needs and configuration of the homeserver a few options are available:

Using email as third-party identifiers be disabled by not configuring the email setting.
Using phone numbers as third-party identifiers can be disabled by ensuring that account_threepid_delegates.msisdn is not configured.
Additionally, the affected endpoint patterns can be blocked at a reverse proxy:
- ^/_matrix/client/(r0|unstable)/register/email
- ^/_matrix/client/(r0|unstable)/register/msisdn
- ^/_matrix/client/(r0|unstable)/account/password
- ^/_matrix/client/(r0|unstable)/account/3pid

CPENameOperatorVersion
matrix-synapseeq1.16.0
matrix-synapseeq1.13.0rc1
matrix-synapseeq0.99.0rc4
matrix-synapseeq0.34.0
matrix-synapseeq0.99.1rc2
matrix-synapseeq1.19.0rc1
matrix-synapseeq0.99.5.1
matrix-synapseeq1.20.1
matrix-synapseeq0.99.0rc2
matrix-synapseeq1.26.0

Name	Operator	Version
matrix-synapse	eq	1.16.0
matrix-synapse	eq	1.13.0rc1
matrix-synapse	eq	0.99.0rc4
matrix-synapse	eq	0.34.0
matrix-synapse	eq	0.99.1rc2
matrix-synapse	eq	1.19.0rc1
matrix-synapse	eq	0.99.5.1
matrix-synapse	eq	1.20.1
matrix-synapse	eq	0.99.0rc2
matrix-synapse	eq	1.26.0