CVE-2021-41281: Path Traversal
First published: Tue Nov 23 2021(Updated: )
Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation whitelist are also unaffected, since Synapse will check the remote hostname, including the trailing `../`s, against the whitelist. Server administrators should upgrade to 1.47.1 or later. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Matrix Synapse | <1.47.1 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/matrix-org/synapse/commit/91f2bd090
- https://github.com/matrix-org/synapse/releases/tag/v1.47.1
- https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/
Frequently Asked Questions
What is CVE-2021-41281?
CVE-2021-41281 is a vulnerability in Synapse, a package for Matrix homeservers, which allows downloading a file from a remote server into an arbitrary directory without authentication.
How does CVE-2021-41281 affect Synapse instances with the media repository enabled?
CVE-2021-41281 affects Synapse instances with the media repository enabled by allowing the download of a file from a remote server into any directory, regardless of authentication.
What is the severity of CVE-2021-41281?
The severity of CVE-2021-41281 is high with a CVSS score of 7.5.
How can I fix CVE-2021-41281 in Synapse?
To fix CVE-2021-41281 in Synapse, update to version 1.47.1 or later. Refer to the Synapse release notes and GitHub advisory for more information.
What is CWE-22?
CWE-22 is a vulnerability category called Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), which is the category of vulnerability that CVE-2021-41281 falls under.
- collector/nvd-index
- agent/type
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/tags
- agent/description
- agent/event
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/matrix
- canonical/matrix synapse
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35