Improper Input Validation Affecting matrix-synapse package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UBUNTU2004-MATRIXSYNAPSE-1245193
- published 13 Apr 2021
- disclosed 12 Apr 2021
Introduced: 12 Apr 2021
CVE-2021-21393 Open this link in a new tabHow to fix?
There is no fixed version for Ubuntu:20.04 matrix-synapse.
NVD Description
Note: Versions mentioned in the description apply only to the upstream matrix-synapse package and not the matrix-synapse package as distributed by Ubuntu.
See How to fix? for Ubuntu:20.04 relevant fixed versions and status.
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-21393
- https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
- https://github.com/matrix-org/synapse/pull/9321
- https://github.com/matrix-org/synapse/pull/9393
- https://pypi.org/project/matrix-synapse/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/