CVE-2021-41281: Path traversal in Matrix Synapse
(updated )
Synapse is a package for Matrix homeservers written in Python 3/Twisted. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation allowlist are also unaffected, since Synapse will check the remote hostname, including the trailing ../s, against the allowlist. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config.
References
- github.com/advisories/GHSA-3hfw-x7gx-437c
- github.com/matrix-org/synapse
- github.com/matrix-org/synapse/commit/91f2bd090
- github.com/matrix-org/synapse/releases/tag/v1.47.1
- github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c
- github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-436.yaml
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2
- nvd.nist.gov/vuln/detail/CVE-2021-41281
Code Behaviors & Features
Detect and mitigate CVE-2021-41281 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →