Improper authorisation of /members discloses room membership to non-members
CVE-2021-39164

3.1LOW

Key Information:

Vendor

Matrix-org

Status
Synapse
Vendor
CVE Published:
31 August 2021

What is CVE-2021-39164?

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with shared history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the patch. One workaround is available. Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the endpoints: /_matrix/client/r0/rooms/{room_id}/members with at query parameter, and /_matrix/client/unstable/rooms/{room_id}/members with at query parameter.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

synapse < 1.41.1

References

https://github.com/matrix-org/synapse/commit/cb35df940a
x_refsource_MISC
https://github.com/matrix-org/synapse/releases/tag/v1.41.1
x_refsource_MISC
https://github.com/matrix-org/synapse/security/advisories...
x_refsource_CONFIRM

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.