CVE-2021-39163

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups (communities). By default, only homeserver administrators can create groups. However, homeserver administrators can already access this information in the database or using the admin API. As a result, only homeservers where the configuration setting `enable_group_creation` has been set to `true` are impacted. Server administrators should upgrade to 1.41.1 or higher to patch the vulnerability. There are two potential workarounds. Server administrators can set `enable_group_creation` to `false` in their homeserver configuration (this is the default value) to prevent creation of groups by non-administrators. Administrators that are using a reverse proxy could, with partial loss of group functionality, block the endpoints `/_matrix/client/r0/groups/{group_id}/rooms` and `/_matrix/client/unstable/groups/{group_id}/rooms`.
Configurations

Configuration 1 (hide)

cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

History

21 Nov 2024, 06:18

Type Values Removed Values Added
References () https://github.com/matrix-org/synapse/commit/cb35df940a - Patch, Third Party Advisory () https://github.com/matrix-org/synapse/commit/cb35df940a - Patch, Third Party Advisory
References () https://github.com/matrix-org/synapse/releases/tag/v1.41.1 - Release Notes, Third Party Advisory () https://github.com/matrix-org/synapse/releases/tag/v1.41.1 - Release Notes, Third Party Advisory
References () https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2 - Mitigation, Third Party Advisory () https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2 - Mitigation, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/ -
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/ -

07 Nov 2023, 03:37

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/', 'name': 'FEDORA-2021-2e8ed15b14', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/', 'name': 'FEDORA-2021-f12fdca1bf', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/ -

Information

Published : 2021-08-31 16:15

Updated : 2024-11-21 06:18


NVD link : CVE-2021-39163

Mitre link : CVE-2021-39163

CVE.ORG link : CVE-2021-39163


JSON object : View

Products Affected

matrix

  • synapse

fedoraproject

  • fedora
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-863

Incorrect Authorization