PyPi: Matrix-Synapse

CVE-2021-29471

Safety vulnerability ID: 40438

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at May 11, 2021 Updated at Dec 11, 2024

Scan your Python projects for vulnerabilities →

Advisory

Matrix-synapse 1.33.2 includes a fix for CVE-2021-29471: Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue was patched in version 1.33.2. A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.
https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85

Affected package

matrix-synapse

Latest version: 1.121.1

Homeserver for the Matrix decentralised comms protocol

Affected versions

Fixed versions

Vulnerability changelog

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue is patched in version 1.33.2. A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy. See CVE-2021-29471.

CONFIRM:https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85: https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85
MISC:https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c: https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c
MISC:https://github.com/matrix-org/synapse/releases/tag/v1.33.2: https://github.com/matrix-org/synapse/releases/tag/v1.33.2

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.3

CVSS v3 Details

MEDIUM 5.3

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): LOW

CVSS v2 Details

MEDIUM 5.0

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Impact (A): PARTIAL