Candidate: CVE-2021-21332
PublicDate: 2021-03-26 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21332
 https://github.com/matrix-org/synapse/releases/tag/v1.27.0
 https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899
Description:
 Synapse is a Matrix reference homeserver written in python (pypi package
 matrix-synapse). Matrix is an ecosystem for open federated Instant
 Messaging and VoIP. In Synapse before version 1.27.0, the password reset
 endpoint served via Synapse was vulnerable to cross-site scripting (XSS)
 attacks. The impact depends on the configuration of the domain that Synapse
 is deployed on, but may allow access to cookies and other browser data,
 CSRF vulnerabilities, and access to other resources served on the same
 domain or parent domains. This is fixed in version 1.27.0.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 https://github.com/matrix-org/synapse/pull/9200
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N [8.2 HIGH]


Patches_matrix-synapse:
 upstream: https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df
upstream_matrix-synapse: released (1.27.0)
precise/esm_matrix-synapse: DNE
trusty_matrix-synapse: ignored (out of standard support)
trusty/esm_matrix-synapse: DNE
xenial_matrix-synapse: DNE
bionic_matrix-synapse: needs-triage
focal_matrix-synapse: needs-triage
groovy_matrix-synapse: ignored (reached end-of-life)
hirsute_matrix-synapse: not-affected (1.27.0-1)
impish_matrix-synapse: not-affected (1.27.0-1)
jammy_matrix-synapse: not-affected (1.27.0-1)
devel_matrix-synapse: not-affected (1.27.0-1)