CVE-2021-21333: HTML injection in email and account expiry notifications
First published: Fri Mar 26 2021(Updated: )
### Impact The notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. ### Patches This issue is fixed in #9200. ### Workarounds For the missed messages notifications: The `notif.html`, `notif_mail.html`, and `room.html` templates can be overridden with custom templates that manually escapes the variables using [JInja2's `escape` filter](https://jinja.palletsprojects.com/en/2.11.x/templates/#escape). See the `email.template_dir` setting. For the account expiry notifications: 1. Account expiry can be disabled via the `account_validity.enabled` setting. 2. The `notice_expiry.html` template can be overridden with a custom template that manually escapes the variables using [JInja2's `escape` filter](https://jinja.palletsprojects.com/en/2.11.x/templates/#escape). See the `email.template_dir` setting.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Matrix Synapse | <1.27.0 | |
| Fedoraproject Fedora | =34 | |
| pip/matrix-synapse | <1.27.0 | 1.27.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df
- https://github.com/matrix-org/synapse/pull/9200
- https://github.com/matrix-org/synapse/releases/tag/v1.27.0
- https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
- https://nvd.nist.gov/vuln/detail/CVE-2021-21333
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-134.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY
- https://github.com/advisories/GHSA-c5f8-35qr-q4fm (Advisory)
Frequently Asked Questions
What is CVE-2021-21333?
CVE-2021-21333 is a vulnerability in Synapse, a Matrix reference homeserver, that allows an attacker to intercept email notifications for missed messages or expiring accounts.
How severe is CVE-2021-21333?
CVE-2021-21333 has a severity level of 6.1 (medium).
What is the affected software for CVE-2021-21333?
The affected software for CVE-2021-21333 includes Matrix Synapse versions up to and excluding 1.27.0, as well as Fedoraproject Fedora version 34.
How can I fix CVE-2021-21333?
To fix CVE-2021-21333, upgrade Matrix Synapse to version 1.27.0 or higher.
What is the CWE classification of CVE-2021-21333?
The CWE classifications for CVE-2021-21333 are CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/title
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-c5f8-35qr-q4fm
- alias/CVE-2021-21333
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/event
- agent/description
- agent/first-publish-date
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/tags
- agent/trending
- vendor/matrix
- canonical/matrix synapse
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- package-manager/pip