First published: Tue May 11 2021(Updated: )
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue is patched in version 1.33.2. A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Matrix Synapse | <1.33.2 | |
Fedoraproject Fedora | =34 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-29471 is a vulnerability in the Synapse Matrix reference homeserver that allows "Push rules" to match events under certain conditions.
CVE-2021-29471 has a severity rating of 5.3 (medium).
The Matrix Synapse version up to 1.33.2 and Fedoraproject Fedora version 34 are affected by CVE-2021-29471.
To fix CVE-2021-29471, upgrade to Synapse version 1.33.2 or later.
You can find more information about CVE-2021-29471 in the references provided: [Link 1](https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c), [Link 2](https://github.com/matrix-org/synapse/releases/tag/v1.33.2), [Link 3](https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85).