Open Redirect

Affecting matrix-synapse package, versions [,1.28.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

matrix-synapse is an ecosystem for open federated Instant Messaging and VoIP.

Affected versions of this package are vulnerable to Open Redirect. Requests to user provided domains are not restricted to external IP addresses when transitional IPv6 addresses are used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This can cause Synapse to make requests to internal infrastructure on dual-stack networks.

Remediation

Upgrade matrix-synapse to version 1.28.0 or higher.

References

CVSS Score

6.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    High
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
Credit
mscherer
CVE
CVE-2021-21392
CWE
CWE-601
Snyk ID
SNYK-PYTHON-MATRIXSYNAPSE-1245051
Disclosed
13 Apr, 2021
Published
13 Apr, 2021