CVE-2021-21393: Denial of service (via resource exhaustion) due to improper input validation on groups/communities endpoints
First published: Mon Apr 12 2021(Updated: )
### Impact Missing input validation of some parameters on the groups (also known as communities) endpoints could cause excessive use of disk space and memory leading to resource exhaustion. Additionally clients may have issues rendering large fields. ### Patches This issue is fixed by #9321 and #9393. ### Workarounds The groups feature can be disabled (by setting `enable_group_creation` to `False`) to mitigate this issue. Note that it is disabled by default. ### Other information Note that the groups feature is not part of the [Matrix specification](https://matrix.org/docs/spec/) and the chosen maximum lengths are arbitrary. Not all clients might abide by them.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Matrix Synapse | >0.24.0<1.28.0 | |
| Fedoraproject Fedora | =34 | |
| pip/matrix-synapse | <1.28.0 | 1.28.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/matrix-org/synapse/pull/9321
- https://github.com/matrix-org/synapse/pull/9393
- https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
- https://pypi.org/project/matrix-synapse/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
- https://nvd.nist.gov/vuln/detail/CVE-2021-21393
- https://github.com/matrix-org/synapse/commit/3f58fc848d0002de4605bed91603a1f9f245d128
- https://github.com/matrix-org/synapse/commit/d2f0ec12d5c8f113095408888e87e191ac546499
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-26.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY
- https://pypi.org/project/matrix-synapse
- https://github.com/advisories/GHSA-jrh7-mhhx-6h88 (Advisory)
Frequently Asked Questions
What is CVE-2021-21393?
CVE-2021-21393 is a vulnerability in Synapse, a Matrix reference homeserver written in Python.
What is Synapse?
Synapse is a Matrix reference homeserver written in Python.
What is Matrix?
Matrix is an ecosystem for open federated Instant Messaging and VoIP.
What is the severity of CVE-2021-21393?
CVE-2021-21393 has a severity level of medium.
How do I fix CVE-2021-21393?
To fix CVE-2021-21393, update to Synapse version 1.28.0 or later.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/title
- agent/weakness
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jrh7-mhhx-6h88
- alias/CVE-2021-21393
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/event
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/tags
- agent/trending
- vendor/matrix
- canonical/matrix synapse
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- package-manager/pip