CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
68.8%
Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.
The issue is fixed by #9321.
Depending on the needs and configuration of the homeserver a few options are available:
Using email as third-party identifiers be disabled by not configuring the email
setting.
Using phone numbers as third-party identifiers can be disabled by ensuring that account_threepid_delegates.msisdn
is not configured.
Additionally, the affected endpoint patterns can be blocked at a reverse proxy:
^/_matrix/client/(r0|unstable)/register/email
^/_matrix/client/(r0|unstable)/register/msisdn
^/_matrix/client/(r0|unstable)/account/password
^/_matrix/client/(r0|unstable)/account/3pid
github.com/advisories/GHSA-w9fg-xffh-p362
github.com/matrix-org/synapse/pull/9321
github.com/matrix-org/synapse/pull/9393
github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362
github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-27.yaml
lists.fedoraproject.org/archives/list/[email protected]/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY
nvd.nist.gov/vuln/detail/CVE-2021-21394
pypi.org/project/matrix-synapse
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
68.8%