CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
68.8%
Missing input validation of some parameters on the groups (also known as communities) endpoints could cause excessive use of disk space and memory leading to resource exhaustion. Additionally clients may have issues rendering large fields.
This issue is fixed by #9321 and #9393.
The groups feature can be disabled (by setting enable_group_creation
to False
) to mitigate this issue. Note that it is disabled by default.
Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them.
github.com/advisories/GHSA-jrh7-mhhx-6h88
github.com/matrix-org/synapse/commit/3f58fc848d0002de4605bed91603a1f9f245d128
github.com/matrix-org/synapse/commit/d2f0ec12d5c8f113095408888e87e191ac546499
github.com/matrix-org/synapse/pull/9321
github.com/matrix-org/synapse/pull/9393
github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88
github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-26.yaml
lists.fedoraproject.org/archives/list/[email protected]/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY
nvd.nist.gov/vuln/detail/CVE-2021-21393
pypi.org/project/matrix-synapse
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
68.8%