CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
39.4%
Synapse is a Matrix reference homeserver written in python (pypi package
matrix-synapse). Matrix is an ecosystem for open federated Instant
Messaging and VoIP. In Synapse before version 1.25.0, requests to user
provided domains were not restricted to external IP addresses when
calculating the key validity for third-party invite events and sending push
notifications. This could cause Synapse to make requests to internal
infrastructure. The type of request was not controlled by the user,
although limited modification of request bodies was possible. For the most
thorough protection server administrators should remove the deprecated
federation_ip_range_blacklist
from their settings after upgrading to
Synapse v1.25.0 which will result in Synapse using the improved default IP
address restrictions. See the new ip_range_blacklist
and
ip_range_whitelist
settings if more specific control is necessary.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | matrix-synapse | < any | UNKNOWN |
ubuntu | 20.04 | noarch | matrix-synapse | < any | UNKNOWN |
github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746
github.com/matrix-org/synapse/pull/8821
github.com/matrix-org/synapse/releases/tag/v1.25.0
github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p
launchpad.net/bugs/cve/CVE-2021-21273
nvd.nist.gov/vuln/detail/CVE-2021-21273
security-tracker.debian.org/tracker/CVE-2021-21273
www.cve.org/CVERecord?id=CVE-2021-21273
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
39.4%