Vulnerability Details : CVE-2021-21404
Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.
Vulnerability category: Input validation
Products affected by CVE-2021-21404
- cpe:2.3:a:syncthing:syncthing:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-21404
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-21404
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2021-21404
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-21404
-
https://pkg.go.dev/github.com/syncthing/syncthing
syncthing · pkg.go.devProduct;Third Party Advisory
-
https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97
Merge pull request from GHSA-x462-89pf-6r5h · syncthing/syncthing@fb4fdaf · GitHubPatch;Third Party Advisory
-
https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h
Crash due to malformed relay protocol message · Advisory · syncthing/syncthing · GitHubThird Party Advisory
-
https://github.com/syncthing/syncthing/releases/tag/v1.15.0
Release v1.15.0 · syncthing/syncthing · GitHubRelease Notes;Third Party Advisory
Jump to