Vulnerability Name:

CVE-2021-41281

Assigned:2021-11-23
Published:2021-11-23
Updated:2021-12-14
Summary:Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation whitelist are also unaffected, since Synapse will check the remote hostname, including the trailing `../`s, against the whitelist. Server administrators should upgrade to 1.47.1 or later. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-22
CWE-22
References:Source: MITRE
Type: CNA
CVE-2021-41281

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/matrix-org/synapse/commit/91f2bd090

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/matrix-org/synapse/releases/tag/v1.47.1

Source: CONFIRM
Type: Mitigation, Third Party Advisory
https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-9758549fce

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-2f9dcdbace

Vulnerable Configuration:Configuration 1:
  • cpe:/a:matrix:synapse:*:*:*:*:*:*:*:* (Version < 1.47.1)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:112973
    P
    		matrix-synapse-1.47.1-1.1 on GA media (Moderate)
    2022-01-17
    BACK
    matrix synapse *
    fedoraproject fedora 34
    fedoraproject fedora 35