What is CVE-2021-29471?

CVE-2021-29471 is a vulnerability in the Synapse Matrix reference homeserver that allows "Push rules" to match events under certain conditions.

What is the severity of CVE-2021-29471?

CVE-2021-29471 has a severity rating of 5.3 (medium).

Which software is affected by CVE-2021-29471?

The Matrix Synapse version up to 1.33.2 and Fedoraproject Fedora version 34 are affected by CVE-2021-29471.

How can I fix CVE-2021-29471?

To fix CVE-2021-29471, upgrade to Synapse version 1.33.2 or later.

Where can I find more information about CVE-2021-29471?

You can find more information about CVE-2021-29471 in the references provided: [Link 1](https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c), [Link 2](https://github.com/matrix-org/synapse/releases/tag/v1.33.2), [Link 3](https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85).

Vulnerability/
CVE-2021-29471

medium

5.3

CWE

331 400

11/5/2021

5/4/2022

CVE-2021-29471

First published: Tue May 11 2021(Updated: )

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue is patched in version 1.33.2. A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Matrix Synapse	<1.33.2
Fedoraproject Fedora	=34

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-29471?
CVE-2021-29471 is a vulnerability in the Synapse Matrix reference homeserver that allows "Push rules" to match events under certain conditions.
What is the severity of CVE-2021-29471?
CVE-2021-29471 has a severity rating of 5.3 (medium).
Which software is affected by CVE-2021-29471?
The Matrix Synapse version up to 1.33.2 and Fedoraproject Fedora version 34 are affected by CVE-2021-29471.
How can I fix CVE-2021-29471?
To fix CVE-2021-29471, upgrade to Synapse version 1.33.2 or later.
Where can I find more information about CVE-2021-29471?
You can find more information about CVE-2021-29471 in the references provided: [Link 1](https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c), [Link 2](https://github.com/matrix-org/synapse/releases/tag/v1.33.2), [Link 3](https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.