CVE-2021-21273 — Open Redirect in Synapse

CWE-601 — Open Redirect6 documents5 sources

Severity

6.1MEDIUMNVD

CNA3.1

EPSS

0.3%

top 44.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Matrix-org Synapse Matrix Synapse Fedoraproject Fedora

Timeline

PublishedFeb 26

Description

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDmatrix/synapse< 1.25.0

▶CVEListV5matrix-org/synapse< 1.25.0

Also affects: Fedora 34

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Open redirects on some federation and push requests↗2021-02-26

▶

OSV

CVE-2021-21273: Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse)↗2021-02-26

▶

CVEList

Open redirects on some federation and push requests↗2021-02-26

▶

OSV

Open redirects on some federation and push requests↗2021-02-26

▶

📋Vendor Advisories

Debian

CVE-2021-21273: matrix-synapse - Synapse is a Matrix reference homeserver written in python (pypi package matrix-...↗2021

▶