Open redirects on some federation and push requests
CVE-2021-21273

3.1LOW

Key Information:

Vendor: Matrix-org
Status: Synapse
Vendor: CVE Published:; 26 February 2021

What is CVE-2021-21273?

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated federation_ip_range_blacklist from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new ip_range_blacklist and ip_range_whitelist settings if more specific control is necessary.

Affected Version(s)

synapse < 1.25.0

References

https://github.com/matrix-org/synapse/releases/tag/v1.25.0

x_refsource_MISC

https://github.com/matrix-org/synapse/security/advisories...

x_refsource_CONFIRM

https://github.com/matrix-org/synapse/pull/8821

x_refsource_MISC

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2021
Vulnerability Reserved
Dec 22, 2020

Matrix-org

What is CVE-2021-21273?

Affected Version(s)

References

CVSS V3.1

Timeline