CVE-2021-29471Uncontrolled Resource Consumption in Synapse

CWE-400Uncontrolled Resource ConsumptionCWE-331Insufficient Entropy6 documents5 sources
Severity
5.3MEDIUMNVD
CNA3.7
EPSS
0.6%
top 30.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix-org SynapseMatrix SynapseFedoraproject Fedora
Timeline
PublishedMay 11
Latest updateMay 13

Description

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The is

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDmatrix/synapse< 1.33.2
CVEListV5matrix-org/synapse< 1.33.2

Also affects: Fedora 34

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Denial of service attack via push rule patterns in matrix-synapse2021-05-13
OSV
Denial of service attack via push rule patterns in matrix-synapse2021-05-13
OSV
CVE-2021-29471: Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse)2021-05-11
CVEList
Denial of service in Matrix Synapse2021-05-11

📋Vendor Advisories

1
Debian
CVE-2021-29471: matrix-synapse - Synapse is a Matrix reference homeserver written in python (pypi package matrix-...2021
CVE-2021-29471 — Uncontrolled Resource Consumption | cvebase