CVE-2021-21392: Open redirect via transitional IPv6 addresses on dual-stack networks
(updated )
Requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks.
References
- github.com/advisories/GHSA-5wrh-4jwv-5w78
- github.com/matrix-org/synapse
- github.com/matrix-org/synapse/commit/4ca054a4eaa714d0befb4fc30b19a1131e52c9cc
- github.com/matrix-org/synapse/pull/9240
- github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78
- github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-25.yaml
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY
- nvd.nist.gov/vuln/detail/CVE-2021-21392
- pypi.org/project/matrix-synapse
Code Behaviors & Features
Detect and mitigate CVE-2021-21392 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →