CVE-2021-29471 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-29471 PUBLISHED

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue is patched in version 1.33.2. A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.

EPSS 0.61% · 69.6th percentile

Risk Scores

EPSS Score

0.61%

69.6th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:22.04:LTS	matrix-synapse	1.39.0-1, 1.47.0-2, 1.47.1-1
Ubuntu:Pro:18.04:LTS	matrix-synapse	0, 0.24.0+dfsg-1, 0.24.0+dfsg-1ubuntu0.1~esm4
Ubuntu:Pro:20.04:LTS	matrix-synapse	0, 1.3.0-1, 1.5.0-1

Timeline

May 11, 2021 CVE Published
May 12, 2021 EPSS Score
Jul 14, 2021 EPSS Score
Sep 13, 2021 EPSS Score
Nov 14, 2021 EPSS Score
Jan 14, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Mar 16, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 16, 2022 EPSS Score
Jul 17, 2022 EPSS Score
Sep 16, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2021-29471 third-party-advisory
https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85 third-party-advisory
https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c third-party-advisory
https://github.com/matrix-org/synapse/releases/tag/v1.33.2 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2021-29471 third-party-advisory

Open in Interactive Console →