Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.
The issue is fixed by #9321.
Depending on the needs and configuration of the homeserver a few options are available:
Using email as third-party identifiers be disabled by not configuring the email
setting.
Using phone numbers as third-party identifiers can be disabled by ensuring that account_threepid_delegates.msisdn
is not configured.
Additionally, the affected endpoint patterns can be blocked at a reverse proxy:
^/_matrix/client/(r0|unstable)/register/email
^/_matrix/client/(r0|unstable)/register/msisdn
^/_matrix/client/(r0|unstable)/account/password
^/_matrix/client/(r0|unstable)/account/3pid
github.com/matrix-org/synapse
github.com/matrix-org/synapse/pull/9321
github.com/matrix-org/synapse/pull/9393
github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362
lists.fedoraproject.org/archives/list/[email protected]/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY
nvd.nist.gov/vuln/detail/CVE-2021-21394
pypi.org/project/matrix-synapse