CVE-2021-21394Improper Input Validation in Synapse

CWE-20Improper Input Validation6 documents5 sources
Severity
6.5MEDIUMNVD
CNA5.3
EPSS
0.5%
top 33.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix-org SynapseMatrix SynapseFedoraproject Fedora
Timeline
PublishedApr 12
Latest updateApr 13

Description

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrar

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDmatrix/synapse< 1.28.0
CVEListV5matrix-org/synapse< 1.28.0

Also affects: Fedora 34

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints2021-04-13
GHSA
Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints2021-04-13
OSV
CVE-2021-21394: Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse)2021-04-12
CVEList
Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints2021-04-12

📋Vendor Advisories

1
Debian
CVE-2021-21394: matrix-synapse - Synapse is a Matrix reference homeserver written in python (pypi package matrix-...2021
CVE-2021-21394 — Improper Input Validation in Synapse | cvebase