Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc5ZmcteGZmaC1wMzYy

Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints

Impact

Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.

Patches

The issue is fixed by #9321.

Workarounds

Depending on the needs and configuration of the homeserver a few options are available:

1. Using email as third-party identifiers be disabled by not configuring the email setting.

2. Using phone numbers as third-party identifiers can be disabled by ensuring that account_threepid_delegates.msisdn is not configured.

3. Additionally, the affected endpoint patterns can be blocked at a reverse proxy:

   • ^/_matrix/client/(r0|unstable)/register/email
   • ^/_matrix/client/(r0|unstable)/register/msisdn
   • ^/_matrix/client/(r0|unstable)/account/password
   • ^/_matrix/client/(r0|unstable)/account/3pid

Permalink: https://github.com/advisories/GHSA-w9fg-xffh-p362
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc5ZmcteGZmaC1wMzYy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 8 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-w9fg-xffh-p362, CVE-2021-21394
References:

• https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362
• https://pypi.org/project/matrix-synapse/
• https://nvd.nist.gov/vuln/detail/CVE-2021-21394
• https://github.com/matrix-org/synapse/pull/9321
• https://github.com/matrix-org/synapse/pull/9393
• https://lists.fedoraproject.org/archives/list/[email protected]/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY/
• https://github.com/advisories/GHSA-w9fg-xffh-p362

Affected Packages