Candidate: CVE-2021-21274
PublicDate: 2021-02-26 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21274
 https://github.com/matrix-org/synapse/security/advisories/GHSA-2hwx-mjrm-v3g8
 https://github.com/matrix-org/synapse/commit/ff5c4da1289cb5e097902b3e55b771be342c29d6
 https://github.com/matrix-org/synapse/pull/8950
 https://github.com/matrix-org/synapse/releases/tag/v1.25.0
Description:
 Synapse is a Matrix reference homeserver written in python (pypi package
 matrix-synapse). Matrix is an ecosystem for open federated Instant
 Messaging and VoIP. In Synapse before version 1.25.0, a malicious
 homeserver could redirect requests to their .well-known file to a large
 file. This can lead to a denial of service attack where homeservers will
 consume significantly more resources when requesting the .well-known file
 of a malicious homeserver. This affects any server which accepts federation
 requests from untrusted servers. Issue is resolved in version 1.25.0. As a
 workaround the `federation_domain_whitelist` setting can be used to
 restrict the homeservers communicated with over federation.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [6.5 MEDIUM]


Patches_matrix-synapse:
upstream_matrix-synapse: released (1.25.0-1)
precise/esm_matrix-synapse: DNE
trusty_matrix-synapse: ignored (out of standard support)
trusty/esm_matrix-synapse: DNE
xenial_matrix-synapse: DNE
bionic_matrix-synapse: needs-triage
focal_matrix-synapse: needs-triage
groovy_matrix-synapse: ignored (reached end-of-life)
hirsute_matrix-synapse: not-affected (1.26.0-3)
impish_matrix-synapse: not-affected (1.26.0-3)
jammy_matrix-synapse: not-affected (1.26.0-3)
devel_matrix-synapse: not-affected (1.26.0-3)