CVE-2021-21394

low-risk
Published 2021-04-12

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.

Do I need to act?

-
0.52% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / HIGH complexity

Affected Products (2)

Affected Vendors

Fedoraproject Matrix

References (10)

Patch https://github.com/matrix-org/synapse/pull/9321
Patch https://github.com/matrix-org/synapse/pull/9393
Patch https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Product https://pypi.org/project/matrix-synapse/
Patch https://github.com/matrix-org/synapse/pull/9321
Patch https://github.com/matrix-org/synapse/pull/9393
Patch https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Product https://pypi.org/project/matrix-synapse/
26
/ 100
low-risk
Severity 17/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 7/34 · Low