GHSA-x345-32rc-8h85
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x345-32rc-8h85
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-x345-32rc-8h85/GHSA-x345-32rc-8h85.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x345-32rc-8h85
- Aliases
- Related
- Published
- 2021-05-13T20:22:51Z
- Modified
- 2024-09-30T20:48:43.374737Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Denial of service attack via push rule patterns in matrix-synapse
- Details
-
Impact
"Push rules" can specify conditions under which they will match, including
event_match, which matches event content against a pattern including wildcards.Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events.
Patches
The issue is patched by https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c.
Workarounds
A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.
For more information
If you have any questions or comments about this advisory, email us at security@matrix.org.
- Database specific
{ "github_reviewed_at": "2021-05-11T17:19:15Z", "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2021-05-11T15:15:00Z", "cwe_ids": [ "CWE-331", "CWE-400" ] }- References
-
- https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85
- https://nvd.nist.gov/vuln/detail/CVE-2021-29471
- https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c
- https://github.com/matrix-org/synapse
- https://github.com/matrix-org/synapse/releases/tag/v1.33.2
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-135.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY
Affected packages
PyPI / matrix-synapse
Package
- Name
- matrix-synapse
- View open source insights on deps.dev
- Purl
- pkg:pypi/matrix-synapse
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.33.2
Affected versions
0.*
0.33.5
0.33.5.1
0.33.6rc1
0.33.6
0.33.7rc1
0.33.7rc2
0.33.7
0.33.8rc2
0.33.8
0.33.9
0.34.0rc1
0.34.0rc2
0.34.0
0.34.0.1
0.34.1.1
0.99.0rc1
0.99.0rc2
0.99.0rc3
0.99.0rc4
0.99.0
0.99.1rc1
0.99.1rc2
0.99.1
0.99.1.1
0.99.2rc1
0.99.2
0.99.3rc1
0.99.3
0.99.3.1
0.99.3.2
0.99.4rc1
0.99.4
0.99.5rc1
0.99.5
0.99.5.1
0.99.5.2
1.*
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.1.0rc1
1.1.0rc2
1.1.0
1.2.0rc1
1.2.0rc2
1.2.0
1.2.1
1.3.0rc1
1.3.0
1.3.1
1.4.0rc1
1.4.0rc2
1.4.0
1.4.1rc1
1.4.1
1.5.0rc1
1.5.0rc2
1.5.0
1.5.1
1.6.0rc1
1.6.0rc2
1.6.0
1.6.1
1.7.0rc1
1.7.0rc2
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0rc1
1.8.0
1.9.0.dev1
1.9.0.dev2
1.9.0rc1
1.9.0
1.9.1
1.10.0rc1
1.10.0rc2
1.10.0rc3
1.10.0rc5
1.10.0
1.10.1
1.11.0rc1
1.11.0
1.11.1
1.12.0rc1
1.12.0
1.12.1rc1
1.12.1
1.12.2
1.12.3
1.12.4rc1
1.12.4
1.13.0rc1
1.13.0rc2
1.13.0rc3
1.13.0
1.14.0rc1
1.14.0rc2
1.14.0
1.15.0rc1
1.15.0
1.15.1
1.15.2
1.16.0rc1
1.16.0rc2
1.16.0
1.16.1
1.17.0rc1
1.17.0
1.18.0rc1
1.18.0rc2
1.18.0
1.19.0rc1
1.19.0
1.19.1rc1
1.19.1
1.19.2
1.19.3
1.20.0rc1
1.20.0rc2
1.20.0rc3
1.20.0rc4
1.20.0rc5
1.20.0
1.20.1
1.21.0rc1
1.21.0rc2
1.21.0rc3
1.21.0
1.21.1
1.21.2
1.22.0rc1
1.22.0rc2
1.22.0
1.22.1
1.23.0rc1
1.23.0
1.23.1
1.24.0rc1
1.24.0rc2
1.24.0
1.25.0rc1
1.25.0
1.26.0rc1
1.26.0rc2
1.26.0
1.27.0rc1
1.27.0rc2
1.27.0
1.28.0rc1
1.28.0
1.29.0rc1
1.29.0
1.30.0rc1
1.30.0
1.30.1
1.31.0rc1
1.31.0
1.32.0rc1
1.32.0
1.32.1
1.32.2
1.33.0rc1
1.33.0rc2
1.33.0
1.33.1