Insecure Defaults

Affecting matrix-synapse package, versions [,1.25.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

matrix-synapse is an ecosystem for open federated Instant Messaging and VoIP.

Affected versions of this package are vulnerable to Insecure Defaults. Requests to user provided domains are not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible.

Remediation

Upgrade matrix-synapse to version 1.25.0 or higher.

References

CVSS Score

3.1
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Credit
Unknown
CVE
CVE-2021-21273
CWE
CWE-453
Snyk ID
SNYK-PYTHON-MATRIXSYNAPSE-1080613
Disclosed
28 Feb, 2021
Published
28 Feb, 2021