CVE-2021-21392Open Redirect in Synapse

CWE-601Open Redirect6 documents5 sources
Severity
6.3MEDIUMNVD
EPSS
0.2%
top 57.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix-org SynapseMatrix SynapseFedoraproject Fedora
Timeline
PublishedApr 12
Latest updateApr 13

Description

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:NExploitability: 2.1 | Impact: 4.2

Affected Packages2 packages

NVDmatrix/synapse< 1.28.0
CVEListV5matrix-org/synapse< 1.28.0

Also affects: Fedora 34

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Open redirect via transitional IPv6 addresses on dual-stack networks2021-04-13
OSV
Open redirect via transitional IPv6 addresses on dual-stack networks2021-04-13
OSV
CVE-2021-21392: Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse)2021-04-12
CVEList
Open redirect via transitional IPv6 addresses on dual-stack networks2021-04-12

📋Vendor Advisories

1
Debian
CVE-2021-21392: matrix-synapse - Synapse is a Matrix reference homeserver written in python (pypi package matrix-...2021
CVE-2021-21392 — Open Redirect in Matrix-org Synapse | cvebase