CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39163 – Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.
https://notcve.org/view.php?id=CVE-2021-39163
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups (communities). By default, only homeserver administrators can create groups. However, homeserver administrators can already access this information in the database or using the admin API. • https://github.com/matrix-org/synapse/commit/cb35df940a https://github.com/matrix-org/synapse/releases/tag/v1.41.1 https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-29471 – Denial of service in Matrix Synapse
https://notcve.org/view.php?id=CVE-2021-29471
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue is patched in version 1.33.2. • https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c https://github.com/matrix-org/synapse/releases/tag/v1.33.2 https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY • CWE-331: Insufficient Entropy CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21392 – Open redirect via transitional IPv6 addresses on dual-stack networks
https://notcve.org/view.php?id=CVE-2021-21392
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. • https://github.com/matrix-org/synapse/pull/9240 https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY https://pypi.org/project/matrix-synapse • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21393 – Denial of service (via resource exhaustion) due to improper input validation on groups/communities endpoints
https://notcve.org/view.php?id=CVE-2021-21393
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. • https://github.com/matrix-org/synapse/pull/9321 https://github.com/matrix-org/synapse/pull/9393 https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY https://pypi.org/project/matrix-synapse • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21394 – Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints
https://notcve.org/view.php?id=CVE-2021-21394
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. • https://github.com/matrix-org/synapse/pull/9321 https://github.com/matrix-org/synapse/pull/9393 https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY https://pypi.org/project/matrix-synapse • CWE-20: Improper Input Validation •