Vulnerability-Lookup

PYSEC-2021-27

Vulnerability from pysec - Published: 2021-04-12 21:15 - Updated: 2021-04-21 17:02

Details

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.

Impacted products

Name	purl
matrix-synapse	pkg:pypi/matrix-synapse

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse",
        "purl": "pkg:pypi/matrix-synapse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.28.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.33.5",
        "0.33.5.1",
        "0.33.6rc1",
        "0.33.6",
        "0.33.7rc1",
        "0.33.7rc2",
        "0.33.7",
        "0.33.8rc2",
        "0.33.8",
        "0.33.9",
        "0.34.0rc1",
        "0.34.0rc2",
        "0.34.0",
        "0.34.0.1",
        "0.34.1.1",
        "0.99.0rc1",
        "0.99.0rc2",
        "0.99.0rc3",
        "0.99.0rc4",
        "0.99.0",
        "0.99.1rc1",
        "0.99.1rc2",
        "0.99.1",
        "0.99.1.1",
        "0.99.2rc1",
        "0.99.2",
        "0.99.3rc1",
        "0.99.3",
        "0.99.3.1",
        "0.99.3.2",
        "0.99.4rc1",
        "0.99.4",
        "0.99.5rc1",
        "0.99.5",
        "0.99.5.1",
        "0.99.5.2",
        "1.0.0rc1",
        "1.0.0rc2",
        "1.0.0rc3",
        "1.0.0",
        "1.1.0rc1",
        "1.1.0rc2",
        "1.1.0",
        "1.2.0rc1",
        "1.2.0rc2",
        "1.2.0",
        "1.2.1",
        "1.3.0rc1",
        "1.3.0",
        "1.3.1",
        "1.4.0rc1",
        "1.4.0rc2",
        "1.4.0",
        "1.4.1rc1",
        "1.4.1",
        "1.5.0rc1",
        "1.5.0rc2",
        "1.5.0",
        "1.5.1",
        "1.6.0rc1",
        "1.6.0rc2",
        "1.6.0",
        "1.6.1",
        "1.7.0rc1",
        "1.7.0rc2",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.8.0rc1",
        "1.8.0",
        "1.9.0.dev1",
        "1.9.0.dev2",
        "1.9.0rc1",
        "1.9.0",
        "1.9.1",
        "1.10.0rc1",
        "1.10.0rc2",
        "1.10.0rc3",
        "1.10.0rc5",
        "1.10.0",
        "1.10.1",
        "1.11.0rc1",
        "1.11.0",
        "1.11.1",
        "1.12.0rc1",
        "1.12.0",
        "1.12.1rc1",
        "1.12.1",
        "1.12.2",
        "1.12.3",
        "1.12.4rc1",
        "1.12.4",
        "1.13.0rc1",
        "1.13.0rc2",
        "1.13.0rc3",
        "1.13.0",
        "1.14.0rc1",
        "1.14.0rc2",
        "1.14.0",
        "1.15.0rc1",
        "1.15.0",
        "1.15.1",
        "1.15.2",
        "1.16.0rc1",
        "1.16.0rc2",
        "1.16.0",
        "1.16.1",
        "1.17.0rc1",
        "1.17.0",
        "1.18.0rc1",
        "1.18.0rc2",
        "1.18.0",
        "1.19.0rc1",
        "1.19.0",
        "1.19.1rc1",
        "1.19.1",
        "1.19.2",
        "1.19.3",
        "1.20.0rc1",
        "1.20.0rc2",
        "1.20.0rc3",
        "1.20.0rc4",
        "1.20.0rc5",
        "1.20.0",
        "1.20.1",
        "1.21.0rc1",
        "1.21.0rc2",
        "1.21.0rc3",
        "1.21.0",
        "1.21.1",
        "1.21.2",
        "1.22.0rc1",
        "1.22.0rc2",
        "1.22.0",
        "1.22.1",
        "1.23.0rc1",
        "1.23.0",
        "1.23.1",
        "1.24.0rc1",
        "1.24.0rc2",
        "1.24.0",
        "1.25.0rc1",
        "1.25.0",
        "1.26.0rc1",
        "1.26.0rc2",
        "1.26.0",
        "1.27.0rc1",
        "1.27.0rc2",
        "1.27.0",
        "1.28.0rc1"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21394",
    "GHSA-w9fg-xffh-p362"
  ],
  "details": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.",
  "id": "PYSEC-2021-27",
  "modified": "2021-04-21T17:02:00Z",
  "published": "2021-04-12T21:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/pull/9321"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/matrix-synapse/"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/pull/9393"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362"
    }
  ]
}

GHSA-W9FG-XFFH-P362

Vulnerability from github – Published: 2021-04-13 15:12 – Updated: 2024-09-24 20:08

Summary

Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints

Details

Impact

Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.

Patches

The issue is fixed by #9321.

Workarounds

Depending on the needs and configuration of the homeserver a few options are available:

Using email as third-party identifiers be disabled by not configuring the email setting.
Using phone numbers as third-party identifiers can be disabled by ensuring that account_threepid_delegates.msisdn is not configured.
Additionally, the affected endpoint patterns can be blocked at a reverse proxy:
- ^/_matrix/client/(r0|unstable)/register/email
- ^/_matrix/client/(r0|unstable)/register/msisdn
- ^/_matrix/client/(r0|unstable)/account/password
- ^/_matrix/client/(r0|unstable)/account/3pid

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

6.0 (Medium)


                  
                    CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.28.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-12T21:01:40Z",
    "nvd_published_at": "2021-04-12T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nMissing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.\n\n### Patches\nThe issue is fixed by #9321.\n\n### Workarounds\nDepending on the needs and configuration of the homeserver a few options are available:\n\n1. Using email as third-party identifiers be disabled by not configuring the `email` setting.\n2. Using phone numbers as third-party identifiers can be disabled by ensuring that `account_threepid_delegates.msisdn` is not configured.\n3. Additionally, the affected endpoint patterns can be blocked at a reverse proxy:\n\n    * `^/_matrix/client/(r0|unstable)/register/email`\n    * `^/_matrix/client/(r0|unstable)/register/msisdn`\n    * `^/_matrix/client/(r0|unstable)/account/password`\n    * `^/_matrix/client/(r0|unstable)/account/3pid`",
  "id": "GHSA-w9fg-xffh-p362",
  "modified": "2024-09-24T20:08:23Z",
  "published": "2021-04-13T15:12:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21394"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/pull/9321"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/pull/9393"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/synapse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-27.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/matrix-synapse"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints"
}

CVE-2021-21394 (GCVE-0-2021-21394)

Vulnerability from cvelistv5 – Published: 2021-04-12 20:45 – Updated: 2024-08-03 18:09

Title

Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints

Summary

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-20 - Improper Input Validation

Assigner

GitHub_M

References

URL

Tags

	https://github.com/matrix-org/synapse/security/ad…	x_refsource_CONFIRM
	https://pypi.org/project/matrix-synapse/	x_refsource_MISC
	https://github.com/matrix-org/synapse/pull/9321	x_refsource_MISC
	https://github.com/matrix-org/synapse/pull/9393	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	matrix-org	synapse	Affected: < 1.28.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:16.108Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pypi.org/project/matrix-synapse/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/synapse/pull/9321"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/synapse/pull/9393"
          },
          {
            "name": "FEDORA-2021-a627cfd31e",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "synapse",
          "vendor": "matrix-org",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.28.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-02T02:06:20",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pypi.org/project/matrix-synapse/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/matrix-org/synapse/pull/9321"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/matrix-org/synapse/pull/9393"
        },
        {
          "name": "FEDORA-2021-a627cfd31e",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/"
        }
      ],
      "source": {
        "advisory": "GHSA-w9fg-xffh-p362",
        "discovery": "UNKNOWN"
      },
      "title": "Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21394",
          "STATE": "PUBLIC",
          "TITLE": "Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "synapse",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.28.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "matrix-org"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362",
              "refsource": "CONFIRM",
              "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362"
            },
            {
              "name": "https://pypi.org/project/matrix-synapse/",
              "refsource": "MISC",
              "url": "https://pypi.org/project/matrix-synapse/"
            },
            {
              "name": "https://github.com/matrix-org/synapse/pull/9321",
              "refsource": "MISC",
              "url": "https://github.com/matrix-org/synapse/pull/9321"
            },
            {
              "name": "https://github.com/matrix-org/synapse/pull/9393",
              "refsource": "MISC",
              "url": "https://github.com/matrix-org/synapse/pull/9393"
            },
            {
              "name": "FEDORA-2021-a627cfd31e",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-w9fg-xffh-p362",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21394",
    "datePublished": "2021-04-12T20:45:18",
    "dateReserved": "2020-12-22T00:00:00",
    "dateUpdated": "2024-08-03T18:09:16.108Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2021-27

GHSA-W9FG-XFFH-P362

Impact

Patches

Workarounds

CVE-2021-21394 (GCVE-0-2021-21394)

Tags

Sightings

Nomenclature