CVE-2021-39163Sensitive Information Exposure in Synapse

CWE-200Sensitive Information ExposureCWE-863Incorrect Authorization6 documents5 sources
Severity
3.1LOWNVD
EPSS
0.3%
top 49.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix-org SynapseMatrix SynapseFedoraproject Fedora
Timeline
PublishedAug 31
Latest updateSep 1

Description

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups (communities). By default, only homeserver administrators can create groups. However, homeserver administrators can already acces

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages2 packages

NVDmatrix/synapse< 1.41.1
CVEListV5matrix-org/synapse< 1.41.1

Also affects: Fedora 34, 35

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.2021-09-01
GHSA
Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.2021-09-01
OSV
CVE-2021-39163: Matrix is an ecosystem for open federated Instant Messaging and Voice over IP2021-08-31
CVEList
Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.2021-08-31

📋Vendor Advisories

1
Debian
CVE-2021-39163: matrix-synapse - Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. I...2021
CVE-2021-39163 — Sensitive Information Exposure | cvebase