First published: Tue Nov 23 2021(Updated: )
Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation whitelist are also unaffected, since Synapse will check the remote hostname, including the trailing `../`s, against the whitelist. Server administrators should upgrade to 1.47.1 or later. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Matrix Synapse | <1.47.1 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-41281 is a vulnerability in Synapse, a package for Matrix homeservers, which allows downloading a file from a remote server into an arbitrary directory without authentication.
CVE-2021-41281 affects Synapse instances with the media repository enabled by allowing the download of a file from a remote server into any directory, regardless of authentication.
The severity of CVE-2021-41281 is high with a CVSS score of 7.5.
To fix CVE-2021-41281 in Synapse, update to version 1.47.1 or later. Refer to the Synapse release notes and GitHub advisory for more information.
CWE-22 is a vulnerability category called Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), which is the category of vulnerability that CVE-2021-41281 falls under.