CVE-2021-21393 – matrix-synapse

Package

Manager: pip
Name: matrix-synapse
Vulnerable Version: >=0 <1.28.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00548 pctl0.66918

Details

Denial of service (via resource exhaustion) due to improper input validation on groups/communities endpoints ### Impact Missing input validation of some parameters on the groups (also known as communities) endpoints could cause excessive use of disk space and memory leading to resource exhaustion. Additionally clients may have issues rendering large fields. ### Patches This issue is fixed by #9321 and #9393. ### Workarounds The groups feature can be disabled (by setting `enable_group_creation` to `False`) to mitigate this issue. Note that it is disabled by default. ### Other information Note that the groups feature is not part of the [Matrix specification](https://matrix.org/docs/spec/) and the chosen maximum lengths are arbitrary. Not all clients might abide by them.

Metadata

Created: 2021-04-13T15:12:40Z
Modified: 2024-09-30T20:39:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-jrh7-mhhx-6h88/GHSA-jrh7-mhhx-6h88.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-jrh7-mhhx-6h88
Finding: F184
Auto approve: 1