Vulnerability Details : CVE-2021-21273
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary.
Vulnerability category: Open redirect
Products affected by CVE-2021-21273
- cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-21273
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-21273
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
3.1
|
LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |
1.6
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2021-21273
-
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2021-21273
-
https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746
Apply an IP range blacklist to push and key revocation requests. (#8821) · matrix-org/synapse@30fba62 · GitHubPatch;Third Party Advisory
-
https://github.com/matrix-org/synapse/releases/tag/v1.25.0
Release v1.25.0 · matrix-org/synapse · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
[SECURITY] Fedora 34 Update: matrix-synapse-1.38.1-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p
Open redirects on some federation and push requests · Advisory · matrix-org/synapse · GitHubPatch;Third Party Advisory
-
https://github.com/matrix-org/synapse/pull/8821
Apply the federation_ip_range_blacklist to push and key revocation requests by clokep · Pull Request #8821 · matrix-org/synapse · GitHubPatch;Third Party Advisory
Jump to