What is CVE-2021-21394?

CVE-2021-21394 is a vulnerability found in Synapse, a Matrix reference homeserver, that allows for input validation bypass.

What is the severity of CVE-2021-21394?

The severity of CVE-2021-21394 is medium with a CVSS score of 6.5.

How does CVE-2021-21394 impact Synapse?

CVE-2021-21394 allows attackers to bypass input validation on certain endpoints used to confirm third-party identity.

How do I fix CVE-2021-21394?

To fix CVE-2021-21394, it is recommended to update Synapse to version 1.28.0 or later.

What is the Common Weakness Enumeration (CWE) ID for CVE-2021-21394?

The CWE ID for CVE-2021-21394 is CWE-20, which stands for Improper Input Validation.

Vulnerability/
CVE-2021-21394

medium

6.5

CWE

12/4/2021

23/11/2021

CVE-2021-21394: Input Validation

First published: Mon Apr 12 2021(Updated: )

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Matrix Synapse	>0.17.0<1.28.0
Fedoraproject Fedora	=34

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-21394?
CVE-2021-21394 is a vulnerability found in Synapse, a Matrix reference homeserver, that allows for input validation bypass.
What is the severity of CVE-2021-21394?
The severity of CVE-2021-21394 is medium with a CVSS score of 6.5.
How does CVE-2021-21394 impact Synapse?
CVE-2021-21394 allows attackers to bypass input validation on certain endpoints used to confirm third-party identity.
How do I fix CVE-2021-21394?
To fix CVE-2021-21394, it is recommended to update Synapse to version 1.28.0 or later.
What is the Common Weakness Enumeration (CWE) ID for CVE-2021-21394?
The CWE ID for CVE-2021-21394 is CWE-20, which stands for Improper Input Validation.

collector/nvd-index
agent/references
agent/severity
agent/author
vendor/matrix
canonical/matrix synapse
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/34

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.