cnvd - cnvd-2021-91275

cnvd-2021-91275

Vulnerability from cnvd

Title: Synapse路径遍历漏洞

Description:

Synapse是一个应用程序。用于开放式联合即时消息和VoIPSynapse。

Synapse 1.47.1之前版本存在路径遍历漏洞，攻击者可利用该漏洞绕过身份验证过程，从远程服务器下载文件到任意目录中。

Severity: 高

Patch Name: Synapse路径遍历漏洞的补丁

Patch Description:

Synapse是一个应用程序。用于开放式联合即时消息和VoIPSynapse。

Synapse 1.47.1之前版本存在路径遍历漏洞，攻击者可利用该漏洞绕过身份验证过程，从远程服务器下载文件到任意目录中。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-41281

Impacted products

Name
Synapse synapse <1.47.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-41281",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-41281"
    }
  },
  "description": "Synapse\u662f\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u3002\u7528\u4e8e\u5f00\u653e\u5f0f\u8054\u5408\u5373\u65f6\u6d88\u606f\u548cVoIPSynapse\u3002\n\nSynapse 1.47.1\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u8fc7\u7a0b\uff0c\u4ece\u8fdc\u7a0b\u670d\u52a1\u5668\u4e0b\u8f7d\u6587\u4ef6\u5230\u4efb\u610f\u76ee\u5f55\u4e2d\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-91275",
  "openTime": "2021-11-25",
  "patchDescription": "Synapse\u662f\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u3002\u7528\u4e8e\u5f00\u653e\u5f0f\u8054\u5408\u5373\u65f6\u6d88\u606f\u548cVoIPSynapse\u3002\r\n\r\nSynapse 1.47.1\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u8fc7\u7a0b\uff0c\u4ece\u8fdc\u7a0b\u670d\u52a1\u5668\u4e0b\u8f7d\u6587\u4ef6\u5230\u4efb\u610f\u76ee\u5f55\u4e2d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Synapse\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Synapse synapse \u003c1.47.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-41281",
  "serverity": "\u9ad8",
  "submitTime": "2021-11-25",
  "title": "Synapse\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

CVE-2021-41281 (GCVE-0-2021-41281)

Vulnerability from cvelistv5

Published

2021-11-23 19:15

Modified

2024-08-04 03:08

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation whitelist are also unaffected, since Synapse will check the remote hostname, including the trailing `../`s, against the whitelist. Server administrators should upgrade to 1.47.1 or later. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config.

References

▼	URL	Tags
	https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c	x_refsource_CONFIRM
	https://github.com/matrix-org/synapse/commit/91f2bd090	x_refsource_MISC
	https://github.com/matrix-org/synapse/releases/tag/v1.47.1	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/	vendor-advisory, x_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	matrix-org	synapse	Version: < 1.47.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:08:31.942Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/synapse/commit/91f2bd090"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1"
          },
          {
            "name": "FEDORA-2021-2f9dcdbace",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/"
          },
          {
            "name": "FEDORA-2021-9758549fce",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "synapse",
          "vendor": "matrix-org",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.47.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation whitelist are also unaffected, since Synapse will check the remote hostname, including the trailing `../`s, against the whitelist. Server administrators should upgrade to 1.47.1 or later. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-09T02:06:11",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/matrix-org/synapse/commit/91f2bd090"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1"
        },
        {
          "name": "FEDORA-2021-2f9dcdbace",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/"
        },
        {
          "name": "FEDORA-2021-9758549fce",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/"
        }
      ],
      "source": {
        "advisory": "GHSA-3hfw-x7gx-437c",
        "discovery": "UNKNOWN"
      },
      "title": "Path traversal in Matrix Synapse",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41281",
          "STATE": "PUBLIC",
          "TITLE": "Path traversal in Matrix Synapse"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "synapse",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.47.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "matrix-org"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation whitelist are also unaffected, since Synapse will check the remote hostname, including the trailing `../`s, against the whitelist. Server administrators should upgrade to 1.47.1 or later. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c",
              "refsource": "CONFIRM",
              "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c"
            },
            {
              "name": "https://github.com/matrix-org/synapse/commit/91f2bd090",
              "refsource": "MISC",
              "url": "https://github.com/matrix-org/synapse/commit/91f2bd090"
            },
            {
              "name": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1",
              "refsource": "MISC",
              "url": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1"
            },
            {
              "name": "FEDORA-2021-2f9dcdbace",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/"
            },
            {
              "name": "FEDORA-2021-9758549fce",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-3hfw-x7gx-437c",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41281",
    "datePublished": "2021-11-23T19:15:18",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T03:08:31.942Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted