GHSA-2hwx-mjrm-v3g8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2hwx-mjrm-v3g8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-2hwx-mjrm-v3g8/GHSA-2hwx-mjrm-v3g8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2hwx-mjrm-v3g8
- Aliases
- Related
- Published
- 2021-03-01T19:34:54Z
- Modified
- 2024-09-30T20:36:20.463201Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Denial of service attack via .well-known lookups
- Details
-
Impact
A malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver.
This affects any server which accepts federation requests from untrusted servers.
Patches
Issue is resolved by #8950. A bug not affecting the security aspects of this was fixed in #9108.
Workarounds
The
federation_domain_whitelistsetting can be used to restrict the homeservers communicated with over federation. - Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-400", "CWE-770" ], "nvd_published_at": "2021-02-26T18:15:00Z", "github_reviewed_at": "2021-03-01T19:03:06Z", "severity": "MODERATE" }- References
-
- https://github.com/matrix-org/synapse/security/advisories/GHSA-2hwx-mjrm-v3g8
- https://nvd.nist.gov/vuln/detail/CVE-2021-21274
- https://github.com/matrix-org/synapse/pull/8950
- https://github.com/matrix-org/synapse/commit/ff5c4da1289cb5e097902b3e55b771be342c29d6
- https://github.com/matrix-org/synapse
- https://github.com/matrix-org/synapse/releases/tag/v1.25.0
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-132.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY
Affected packages
PyPI / matrix-synapse
Package
- Name
- matrix-synapse
- View open source insights on deps.dev
- Purl
- pkg:pypi/matrix-synapse
Affected versions
0.*
0.99.0
0.99.1rc1
0.99.1rc2
0.99.1
0.99.1.1
0.99.2rc1
0.99.2
0.99.3rc1
0.99.3
0.99.3.1
0.99.3.2
0.99.4rc1
0.99.4
0.99.5rc1
0.99.5
0.99.5.1
0.99.5.2
1.*
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.1.0rc1
1.1.0rc2
1.1.0
1.2.0rc1
1.2.0rc2
1.2.0
1.2.1
1.3.0rc1
1.3.0
1.3.1
1.4.0rc1
1.4.0rc2
1.4.0
1.4.1rc1
1.4.1
1.5.0rc1
1.5.0rc2
1.5.0
1.5.1
1.6.0rc1
1.6.0rc2
1.6.0
1.6.1
1.7.0rc1
1.7.0rc2
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0rc1
1.8.0
1.9.0.dev1
1.9.0.dev2
1.9.0rc1
1.9.0
1.9.1
1.10.0rc1
1.10.0rc2
1.10.0rc3
1.10.0rc5
1.10.0
1.10.1
1.11.0rc1
1.11.0
1.11.1
1.12.0rc1
1.12.0
1.12.1rc1
1.12.1
1.12.2
1.12.3
1.12.4rc1
1.12.4
1.13.0rc1
1.13.0rc2
1.13.0rc3
1.13.0
1.14.0rc1
1.14.0rc2
1.14.0
1.15.0rc1
1.15.0
1.15.1
1.15.2
1.16.0rc1
1.16.0rc2
1.16.0
1.16.1
1.17.0rc1
1.17.0
1.18.0rc1
1.18.0rc2
1.18.0
1.19.0rc1
1.19.0
1.19.1rc1
1.19.1
1.19.2
1.19.3
1.20.0rc1
1.20.0rc2
1.20.0rc3
1.20.0rc4
1.20.0rc5
1.20.0
1.20.1
1.21.0rc1
1.21.0rc2
1.21.0rc3
1.21.0
1.21.1
1.21.2
1.22.0rc1
1.22.0rc2
1.22.0
1.22.1
1.23.0rc1
1.23.0
1.23.1
1.24.0rc1
1.24.0rc2
1.24.0
1.25.0rc1