An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc5ZmcteGZmaC1wMzYy
Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints
Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.
The issue is fixed by #9321.
Depending on the needs and configuration of the homeserver a few options are available:
Using email as third-party identifiers be disabled by not configuring the
Using phone numbers as third-party identifiers can be disabled by ensuring that
account_threepid_delegates.msisdnis not configured.
Additionally, the affected endpoint patterns can be blocked at a reverse proxy:
Source: GitHub Advisory Database
Published: over 2 years ago
Updated: 8 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-w9fg-xffh-p362, CVE-2021-21394
- https://lists.fedoraproject.org/archives/list/[email protected]/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
Fixed in: 1.28.0