CVE-2021-41281
Vulnerability from cvelistv5
Published
2021-11-23 19:15
Modified
2024-08-04 03:08
Severity ?
EPSS score ?
Summary
Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation whitelist are also unaffected, since Synapse will check the remote hostname, including the trailing `../`s, against the whitelist. Server administrators should upgrade to 1.47.1 or later. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | matrix-org | synapse |
Version: < 1.47.1 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T03:08:31.942Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/matrix-org/synapse/commit/91f2bd090" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1" }, { "name": "FEDORA-2021-2f9dcdbace", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/" }, { "name": "FEDORA-2021-9758549fce", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "synapse", "vendor": "matrix-org", "versions": [ { "status": "affected", "version": "\u003c 1.47.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation whitelist are also unaffected, since Synapse will check the remote hostname, including the trailing `../`s, against the whitelist. Server administrators should upgrade to 1.47.1 or later. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-12-09T02:06:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/matrix-org/synapse/commit/91f2bd090" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1" }, { "name": "FEDORA-2021-2f9dcdbace", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/" }, { "name": "FEDORA-2021-9758549fce", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/" } ], "source": { "advisory": "GHSA-3hfw-x7gx-437c", "discovery": "UNKNOWN" }, "title": "Path traversal in Matrix Synapse", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41281", "STATE": "PUBLIC", "TITLE": "Path traversal in Matrix Synapse" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "synapse", "version": { "version_data": [ { "version_value": "\u003c 1.47.1" } ] } } ] }, "vendor_name": "matrix-org" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation whitelist are also unaffected, since Synapse will check the remote hostname, including the trailing `../`s, against the whitelist. Server administrators should upgrade to 1.47.1 or later. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c", "refsource": "CONFIRM", "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c" }, { "name": "https://github.com/matrix-org/synapse/commit/91f2bd090", "refsource": "MISC", "url": "https://github.com/matrix-org/synapse/commit/91f2bd090" }, { "name": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1", "refsource": "MISC", "url": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1" }, { "name": "FEDORA-2021-2f9dcdbace", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/" }, { "name": "FEDORA-2021-9758549fce", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/" } ] }, "source": { "advisory": "GHSA-3hfw-x7gx-437c", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41281", "datePublished": "2021-11-23T19:15:18", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.942Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-41281\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-11-23T20:15:11.687\",\"lastModified\":\"2024-11-21T06:25:57.620\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation whitelist are also unaffected, since Synapse will check the remote hostname, including the trailing `../`s, against the whitelist. Server administrators should upgrade to 1.47.1 or later. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config.\"},{\"lang\":\"es\",\"value\":\"Synapse es un paquete para servidores dom\u00e9sticos Matrix escrito en Python 3/Twisted. En versiones anteriores a 1.47.1, las instancias de Synapse con el repositorio de medios habilitado pueden ser enga\u00f1adas para descargar un archivo de un servidor remoto en un directorio arbitrario. No es requerida autenticaci\u00f3n para el endpoint afectado. Los dos \u00faltimos directorios y el nombre del archivo de la ruta son elegidos al azar por Synapse y no pueden ser controlados por un atacante, lo que limita el impacto. Los servidores dom\u00e9sticos con el repositorio de medios deshabilitado no est\u00e1n afectados. Los servidores dom\u00e9sticos con una lista blanca de la federaci\u00f3n tampoco est\u00e1n afectados, ya que Synapse comprobar\u00e1 el nombre de host remoto, incluyendo el final \\\"../\\\", con la lista blanca. Los administradores de servidores deben actualizar a la versi\u00f3n 1.47.1 o posterior. Los administradores de servidores que usen un proxy inverso podr\u00edan, a costa de perder la funcionalidad de los medios de comunicaci\u00f3n, bloquear ciertos endpoints como soluci\u00f3n. Como alternativa, los despliegues sin contenedores pueden adaptarse para usar la configuraci\u00f3n systemd endurecida\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.47.1\",\"matchCriteriaId\":\"29702D95-7A8E-4406-83F8-083CCF57C31D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]}],\"references\":[{\"url\":\"https://github.com/matrix-org/synapse/commit/91f2bd090\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/matrix-org/synapse/releases/tag/v1.47.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/matrix-org/synapse/commit/91f2bd090\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/matrix-org/synapse/releases/tag/v1.47.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.