Vulnerability Name:

CVE-2021-39164 (CCN-208441)

Assigned:2021-08-31
Published:2021-08-31
Updated:2022-10-25
Summary:Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the patch. One workaround is available. Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the endpoints: `/_matrix/client/r0/rooms/{room_id}/members` with `at` query parameter, and `/_matrix/client/unstable/rooms/{room_id}/members` with `at` query parameter.
CVSS v3 Severity:3.1 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.7 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-39164

Source: XF
Type: UNKNOWN
matrix-cve202139164-info-disc(208441)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/matrix-org/synapse/commit/cb35df940a

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/matrix-org/synapse/releases/tag/v1.41.1

Source: CCN
Type: Synapse GIT Repository
Improper authorisation of /members discloses room membership to non-members

Source: CONFIRM
Type: Third Party Advisory
https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-f12fdca1bf

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-2e8ed15b14

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-39164

Vulnerable Configuration:Configuration 1:
  • cpe:/a:matrix:synapse:*:*:*:*:*:*:*:* (Version < 1.41.1)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:matrix:synapse:1.41.0:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:112972
    P
    		matrix-synapse-1.43.0-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106421
    P
    		matrix-synapse-1.43.0-1.1 on GA media (Moderate)
    2021-10-01
    BACK
    matrix synapse *
    fedoraproject fedora 34
    fedoraproject fedora 35
    matrix synapse 1.41.0 -