CVE-2021-21393

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-21393
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21393.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-21393
Aliases
Downstream
Related
Published
2021-04-12T22:15:13.227Z
Modified
2026-04-10T04:29:38.041801Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.

References

Affected packages

Git / github.com/matrix-org/synapse

Affected ranges

Type
GIT
Repo
https://github.com/matrix-org/synapse
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2756517f7a6e17d2403de44981569dc18329315b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.28.0"
        }
    ]
}

Affected versions

Other
hhs-1
hhs-2
hhs-3
hhs-5
hhs-6
hhs-7
hhs-8
v0.*
v0.10.0
v0.10.0-r1
v0.10.0-r2
v0.11.0
v0.11.0-r1
v0.11.0-r2
v0.11.1
v0.12.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.16.0
v0.16.1
v0.16.1-r1
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.2.0
v0.2.1
v0.2.1a
v0.2.2
v0.23.0-rc1
v0.23.0-rc2
v0.25.0-rc1
v0.28.0-rc1
v0.3.0
v0.3.3
v0.3.4
v0.32.0
v0.32.0rc1
v0.32.2
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.3a
v0.5.3b
v0.5.3c
v0.5.4
v0.5.4a
v0.6.0
v0.6.0a
v0.6.0b
v0.6.1
v0.6.1a
v0.6.1b
v0.6.1c
v0.6.1d
v0.6.1e
v0.6.1f
v0.7.0
v0.7.0a
v0.7.0b
v0.7.0c
v0.7.0d
v0.7.0e
v0.7.0f
v0.7.1
v0.7.1-r1
v0.7.1-r2
v0.7.1-r3
v0.7.1-r4
v0.8.0
v0.8.1
v0.8.1-r1
v0.8.1-r2
v0.8.1-r3
v0.8.1-r4
v0.9.0
v0.9.0-r1
v0.9.0-r2
v0.9.0-r3
v0.9.0-r4
v0.9.0-r5
v0.9.1
v0.9.2
v0.9.2-r1
v0.9.2-r2
v0.9.3
v0.99.1rc1
v0.99.2rc1
v0.99.4rc1
v0.99.5.1.dev0
v1.*
v1.1.0rc1
v1.1.0rc2
v1.10.0rc1
v1.11.0rc1
v1.12.0rc1
v1.14.0rc1
v1.15.0rc1
v1.16.0rc1
v1.17.0rc1
v1.18.0rc1
v1.23.0rc1
v1.24.0rc1
v1.27.0rc1
v1.28.0rc1
v1.3.0rc1
v1.4.0rc1
v1.5.0rc1
v1.6.0rc1
v1.8.0rc1
v1.9.0.dev1
v1.9.0.dev2
v1.9.0rc1

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "34"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21393.json"