CVE-2021-39164 — Sensitive Information Exposure in Synapse

CWE-200 — Sensitive Information Exposure CWE-863 — Incorrect Authorization6 documents5 sources

Severity

3.1LOWNVD

EPSS

0.5%

top 34.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Matrix-org Synapse Matrix Synapse Fedoraproject Fedora

Timeline

PublishedAug 31

Latest updateSep 1

Description

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages2 packages

▶NVDmatrix/synapse< 1.41.1

▶CVEListV5matrix-org/synapse< 1.41.1

Also affects: Fedora 34, 35

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Improper authorisation of members discloses room membership to non-members↗2021-09-01

▶

OSV

Improper authorisation of members discloses room membership to non-members↗2021-09-01

▶

CVEList

Improper authorisation of /members discloses room membership to non-members↗2021-08-31

▶

OSV

CVE-2021-39164: Matrix is an ecosystem for open federated Instant Messaging and Voice over IP↗2021-08-31

▶

📋Vendor Advisories

Debian

CVE-2021-39164: matrix-synapse - Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. I...↗2021

▶