CVE-2021-21274: Uncontrolled Resource Consumption
(updated )
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse, a malicious homeserver could redirect requests to their .well-known
file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known
file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. As a workaround, the federation_domain_allow list
setting can be used to restrict the homeservers communicated with over federation.
References
Detect and mitigate CVE-2021-21274 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →