CVE-2021-41281

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in pypi/matrix-synapse

Identifiers

CVE-2021-41281, GHSA-3hfw-x7gx-437c

Package Slug

pypi/matrix-synapse

Vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Description

Synapse is a package for Matrix homeservers written in Python 3/Twisted. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation allowlist are also unaffected, since Synapse will check the remote hostname, including the trailing ../s, against the allowlist. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config.

Affected Versions

All versions before 1.47.1

Solution

Upgrade to version 1.47.1 or above.

Last Modified

2021-11-30

source