CVE-2021-21332: Cross-site scripting (XSS) vulnerability in the password reset endpoint
First published: Fri Mar 26 2021(Updated: )
### Impact The password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. ### Patches This is fixed in #9200. ### Workarounds Depending on the needs and configuration of the homeserver a few options are available: 1. Password resets can be disabled by delegating email to a third-party service (via the `account_threepid_delegates.email` setting) or disabling email (by not configuring the `email` setting). 2. If the homeserver is not configured to use passwords (via the `password_config.enabled` setting) then the affected endpoint can be blocked at a reverse proxy: * `/_synapse/client/password_reset/email/submit_token` 3. The `password_reset_confirmation.html` template can be overridden with a custom template that manually escapes the variables using [JInja2's `escape` filter](https://jinja.palletsprojects.com/en/2.11.x/templates/#escape). See the `email.template_dir` setting.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Matrix Synapse | <1.27.0 | |
| Fedoraproject Fedora | =34 | |
| pip/matrix-synapse | <1.27.0 | 1.27.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df
- https://github.com/matrix-org/synapse/pull/9200
- https://github.com/matrix-org/synapse/releases/tag/v1.27.0
- https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
- https://nvd.nist.gov/vuln/detail/CVE-2021-21332
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-133.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY
- https://github.com/advisories/GHSA-246w-56m2-5899 (Advisory)
Frequently Asked Questions
What is CVE-2021-21332?
CVE-2021-21332 is a vulnerability in Synapse, a Matrix reference homeserver, that allows for cross-site scripting (XSS) attacks.
What is the severity of CVE-2021-21332?
CVE-2021-21332 has a severity rating of 8.2, which is considered high.
How does CVE-2021-21332 affect Synapse?
CVE-2021-21332 affects Synapse versions up to and excluding 1.27.0, making them vulnerable to cross-site scripting (XSS) attacks.
How can I fix CVE-2021-21332?
To fix CVE-2021-21332, upgrade to Synapse version 1.27.0 or higher.
Is Fedora affected by CVE-2021-21332?
Yes, Fedora version 34 is affected by CVE-2021-21332.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-246w-56m2-5899
- alias/CVE-2021-21332
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/first-publish-date
- agent/event
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/tags
- agent/trending
- vendor/matrix
- canonical/matrix synapse
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- package-manager/pip