Vulnerability Details : CVE-2021-39164
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the patch. One workaround is available. Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the endpoints: `/_matrix/client/r0/rooms/{room_id}/members` with `at` query parameter, and `/_matrix/client/unstable/rooms/{room_id}/members` with `at` query parameter.
Vulnerability category: Information leak
Products affected by CVE-2021-39164
- cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-39164
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 35 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-39164
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:P/I:N/A:N |
6.8
|
2.9
|
NIST | |
3.1
|
LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
1.6
|
1.4
|
NIST | |
3.1
|
LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
1.6
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2021-39164
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Primary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Secondary)
References for CVE-2021-39164
-
https://github.com/matrix-org/synapse/releases/tag/v1.41.1
Release v1.41.1 · matrix-org/synapse · GitHubRelease Notes;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/
[SECURITY] Fedora 34 Update: matrix-synapse-1.41.1-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/
[SECURITY] Fedora 35 Update: matrix-synapse-1.41.1-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/matrix-org/synapse/commit/cb35df940a
Merge pull request from GHSA-jj53-8fmw-f2w2 · matrix-org/synapse@cb35df9 · GitHubPatch;Third Party Advisory
-
https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q
Improper authorisation of /members discloses room membership to non-members · Advisory · matrix-org/synapse · GitHubThird Party Advisory
Jump to