CVE-2021-41281

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-41281

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41281.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-41281

Aliases

Related

Published

2021-11-23T20:15:11Z

Modified

2024-10-16T17:51:56.371689Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation whitelist are also unaffected, since Synapse will check the remote hostname, including the trailing ../s, against the whitelist. Server administrators should upgrade to 1.47.1 or later. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config.

References

Affected packages

Debian:13 / matrix-synapse

Package

Name: matrix-synapse
Purl: pkg:deb/debian/matrix-synapse?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.47.1-1

Affected versions

0.*

0.19.2+dfsg-3

0.19.2+dfsg-4

0.19.2+dfsg-5

0.19.2+dfsg-6

0.24.0+dfsg-1

0.27.2+dfsg-1

0.28.0+dfsg-1

0.28.0+dfsg-2

0.28.1+dfsg-1

0.29.1+dfsg-1

0.30.0+dfsg-1

0.31.0+dfsg-1

0.31.0+dfsg-2

0.31.1+dfsg-1

0.31.1+dfsg-2

0.31.2+dfsg-1

0.32.2+dfsg-1

0.33.0+dfsg-1

0.33.1+dfsg-1

0.33.2+dfsg-1

0.33.2+dfsg-2

0.33.2+dfsg-3

0.33.3-1

0.33.3-2

0.33.3.1-1

0.33.4-1~bpo9+1

0.33.4-1

0.33.8-1

0.33.9-2~bpo9+1

0.33.9-2

0.34.0~rc2-1

0.34.0-1

0.34.0-2

0.34.0-3~bpo9+1

0.34.0-3~bpo9+2

0.34.0-3

0.34.1.1-1

0.34.1.1-2~bpo9+1

0.34.1.1-2

0.34.1.1-3~bpo9+1

0.34.1.1-3~bpo9+2

0.34.1.1-3

0.34.1.1-4

0.99.0-1~bpo9+1

0.99.0-1~bpo9+2

0.99.0-1~bpo9+3

0.99.0-1

0.99.1.1-1

0.99.2-1~bpo9+1

0.99.2-1~bpo9+2

0.99.2-1

0.99.2-2

0.99.2-3

0.99.2-4

0.99.2-5~bpo9+1

0.99.2-5

0.99.2-6

0.99.3.2-1

0.99.5.1-1

0.99.5.2-1

1.*

1.0.0-1

1.0.0-2~bpo10+1

1.0.0-2

1.1.0-1

1.2.1-1~bpo10+1

1.2.1-1~bpo10+2

1.2.1-1

1.2.1-2

1.3.0-1~bpo10+1

1.3.0-1

1.4.0~rc1-1

1.4.0-1

1.5.0~rc1-1

1.5.0-1

1.5.1-1~bpo10+1

1.5.1-1

1.6.0-1

1.6.1-1~bpo10+1

1.6.1-1

1.7.0-1

1.7.0-2

1.7.1-1

1.7.2-1~bpo10+1

1.7.2-1

1.7.3-1~bpo10+1

1.7.3-1

1.8.0-1

1.9.0-1~bpo10+1

1.9.0-1

1.9.1-1~bpo10+1

1.9.1-1

1.10.0-1

1.10.0-2

1.11.0-1

1.11.1-1~bpo10+1

1.11.1-1

1.12.0-1~bpo10+1

1.12.0-1

1.12.3-1~bpo10+1

1.12.3-1

1.12.4-1~bpo10+1

1.12.4-1

1.13.0-1~bpo10+1

1.13.0-1

1.15.0-1

1.15.1-1~bpo10+1

1.15.1-1~bpo10+2

1.15.1-1

1.15.2-1

1.16.0-1

1.17.0-1~bpo10+1

1.17.0-1

1.18.0-1~bpo10+1

1.18.0-1

1.19.0-1~bpo10+1

1.19.0-1

1.19.1-1~bpo10+1

1.19.1-1~bpo10+2

1.19.1-1~bpo10+3

1.19.1-1

1.19.2-1

1.19.3-1

1.20.0-1

1.20.1-1~bpo10+1

1.20.1-1

1.21.1-1

1.21.2-1~bpo10+1

1.21.2-1

1.22.1-1~bpo10+1

1.22.1-1

1.22.1-2~bpo10+1

1.22.1-2

1.23.0-1~bpo10+1

1.23.0-1

1.24.0-1~bpo10+1

1.24.0-1

1.24.0-2

1.25.0-1~bpo10+1

1.25.0-1

1.25.0-2

1.26.0-1~bpo10+1

1.26.0-1~bpo10+2

1.26.0-1~bpo10+3

1.26.0-1

1.26.0-2

1.26.0-3

1.27.0-1~bpo10+1

1.27.0-1~bpo10+2

1.27.0-1~bpo10+3

1.27.0-1

1.28.0-1~bpo10+1

1.28.0-1~bpo10+2

1.28.0-1

1.29.0-1

1.30.0-1

1.31.0-1

1.31.0-2

1.33.2-1

1.34.0-1

1.35.0-1

1.35.1-1

1.36.0-1

1.37.0-1

1.37.1-1

1.38.0-1

1.38.1-1

1.39.0-1

1.40.0-1~bpo10+1

1.40.0-1~bpo11+1

1.40.0-1

1.41.1-1~bpo10+1

1.41.1-1~bpo11+1

1.41.1-1

1.42.0-1~bpo10+1

1.42.0-1~bpo11+1

1.42.0-1

1.43.0-1~bpo10+1

1.43.0-1~bpo11+1

1.43.0-1

1.44.0-1~bpo10+1

1.44.0-1~bpo11+1

1.44.0-1

1.44.0-2

1.45.0-1

1.45.1-1~bpo10+1

1.45.1-1~bpo11+1

1.45.1-1

1.46.0-1~bpo10+1

1.46.0-1~bpo10+2

1.46.0-1~bpo11+1

1.46.0-1~bpo11+2

1.46.0-1~bpo11+3

1.46.0-1

1.47.0-1

1.47.0-2~bpo10+1

1.47.0-2~bpo11+1

1.47.0-2

1.47.1-1~bpo10+1

1.47.1-1~bpo11+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/matrix-org/synapse

Affected ranges

Type: GIT
Repo: https://github.com/matrix-org/synapse
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

91f2bd090

Affected versions

0.*

0.34.0rc2

1.*

1.7.2

Other

alpha

hhs-1

hhs-2

hhs-3

hhs-4

hhs-5

hhs-6

hhs-7

hhs-8

v0.*

v0.0.0

v0.0.1

v0.1.0

v0.1.1

v0.1.2

v0.10.0

v0.10.0-r1

v0.10.0-r2

v0.10.0-rc1

v0.10.0-rc2

v0.10.0-rc3

v0.10.0-rc4

v0.10.0-rc5

v0.10.0-rc6

v0.10.1-rc1

v0.11.0

v0.11.0-r1

v0.11.0-r2

v0.11.0-rc1

v0.11.0-rc2

v0.11.1

v0.12.0

v0.12.0-rc1

v0.12.0-rc2

v0.12.0-rc3

v0.12.1-rc1

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.14.0

v0.14.0-rc1

v0.14.0-rc2

v0.15.0-rc1

v0.16.0

v0.16.0-rc1

v0.16.0-rc2

v0.16.1

v0.16.1-r1

v0.16.1-rc1

v0.17.0

v0.17.0-rc1

v0.17.0-rc2

v0.17.0-rc3

v0.17.0-rc4

v0.17.1

v0.17.1-rc1

v0.17.2

v0.17.2-rc1

v0.17.3

v0.18.0

v0.18.0-rc1

v0.18.1

v0.18.1-rc1

v0.18.2

v0.18.2-rc1

v0.18.2-rc2

v0.18.2-rc3

v0.18.2-rc4

v0.18.2-rc5

v0.18.3

v0.18.4

v0.18.4-rc1

v0.18.5

v0.18.5-rc1

v0.18.5-rc2

v0.18.5-rc3

v0.18.6

v0.18.6-rc1

v0.18.6-rc2

v0.18.6-rc3

v0.18.7

v0.18.7-rc1

v0.18.7-rc2

v0.19.0

v0.19.0-rc1

v0.19.0-rc2

v0.19.0-rc3

v0.19.0-rc4

v0.19.1

v0.19.2

v0.19.3

v0.19.3-rc1

v0.19.3-rc2

v0.2.0

v0.2.1

v0.2.1a

v0.2.2

v0.2.3

v0.20.0

v0.20.0-rc1

v0.21.0

v0.21.0-rc1

v0.21.0-rc2

v0.21.0-rc3

v0.21.1

v0.22.0

v0.22.0-rc1

v0.22.0-rc2

v0.22.1

v0.23.0

v0.23.0-rc1

v0.23.0-rc2

v0.23.1

v0.24.0

v0.24.0-rc1

v0.24.1

v0.25.0

v0.25.0-rc1

v0.25.1

v0.26.0

v0.26.0-rc1

v0.26.1

v0.27.0

v0.27.0-rc1

v0.27.0-rc2

v0.27.1

v0.27.2

v0.27.3

v0.27.3-rc1

v0.27.3-rc2

v0.27.4

v0.28.0

v0.28.0-rc1

v0.28.1

v0.29.0

v0.29.0-rc1

v0.29.1

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.30.0

v0.30.0-rc1

v0.31.0

v0.31.0-rc1

v0.31.1

v0.31.2

v0.32.0

v0.32.0rc1

v0.32.1

v0.32.2

v0.33.0

v0.33.0rc1

v0.33.1

v0.33.2

v0.33.2rc1

v0.33.3

v0.33.3.1

v0.33.3rc1

v0.33.3rc2

v0.33.4

v0.33.4rc1

v0.33.4rc2

v0.33.5

v0.33.5.1

v0.33.5rc1

v0.33.6

v0.33.6rc1

v0.33.7

v0.33.7rc1

v0.33.7rc2

v0.33.8

v0.33.8rc1

v0.33.8rc2

v0.33.9

v0.33.9rc1

v0.34.0

v0.34.0rc1

v0.34.0rc2

v0.34.1

v0.34.1+1

v0.34.1.1

v0.34.1rc1

v0.4.1

v0.4.2

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.3a

v0.5.3b

v0.5.3c

v0.5.4

v0.5.4a

v0.6.0

v0.6.0a

v0.6.0b

v0.6.1

v0.6.1a

v0.6.1b

v0.6.1c

v0.6.1d

v0.6.1e

v0.6.1f

v0.7.0

v0.7.0a

v0.7.0b

v0.7.0c

v0.7.0d

v0.7.0e

v0.7.0f

v0.7.1

v0.7.1-r1

v0.7.1-r2

v0.7.1-r3

v0.7.1-r4

v0.8.0

v0.8.1

v0.8.1-r1

v0.8.1-r2

v0.8.1-r3

v0.8.1-r4

v0.9.0

v0.9.0-r1

v0.9.0-r2

v0.9.0-r3

v0.9.0-r4

v0.9.0-r5

v0.9.1

v0.9.2

v0.9.2-r1

v0.9.2-r2

v0.9.3

v0.9.3-rc1

v0.99.0

v0.99.0rc1

v0.99.0rc2

v0.99.0rc3

v0.99.0rc4

v0.99.1

v0.99.1.1

v0.99.1rc1

v0.99.1rc2

v0.99.2

v0.99.2rc1

v0.99.3

v0.99.3.1

v0.99.3.2

v0.99.3rc1

v0.99.4

v0.99.4rc1

v0.99.5

v0.99.5.1

v0.99.5.1.dev0

v0.99.5.2

v0.99.5rc1

v1.*

v1.0.0

v1.0.0rc1

v1.0.0rc2

v1.0.0rc3

v1.1.0

v1.1.0rc1

v1.1.0rc2

v1.10.0

v1.10.0rc1

v1.10.0rc2

v1.10.0rc3

v1.10.0rc5

v1.10.1

v1.11.0

v1.11.0rc1

v1.11.1

v1.12.0

v1.12.0rc1

v1.12.1

v1.12.1rc1

v1.12.2

v1.12.3

v1.12.4

v1.12.4rc1

v1.13.0

v1.13.0rc1

v1.13.0rc2

v1.13.0rc3

v1.14.0

v1.14.0rc1

v1.14.0rc2

v1.15.0

v1.15.0rc1

v1.15.1

v1.15.2

v1.16.0

v1.16.0rc1

v1.16.0rc2

v1.16.1

v1.17.0

v1.17.0rc1

v1.18.0

v1.18.0rc1

v1.18.0rc2

v1.19.0

v1.19.0rc1

v1.19.1

v1.19.1rc1

v1.19.2

v1.19.3

v1.2.0

v1.2.0rc1

v1.2.0rc2

v1.2.1

v1.20.0

v1.20.0rc1

v1.20.0rc2

v1.20.0rc3

v1.20.0rc4

v1.20.0rc5

v1.20.1

v1.21.0

v1.21.0rc1

v1.21.0rc2

v1.21.0rc3

v1.21.1

v1.21.2

v1.22.0

v1.22.0rc1

v1.22.0rc2

v1.22.1

v1.23.0

v1.23.0rc1

v1.23.1

v1.24.0

v1.24.0rc1

v1.24.0rc2

v1.25.0

v1.25.0rc1

v1.26.0

v1.26.0-deb

v1.26.0rc1

v1.26.0rc2

v1.27.0

v1.27.0rc1

v1.27.0rc2

v1.28.0

v1.28.0rc1

v1.29.0

v1.29.0rc1

v1.3.0

v1.3.0rc1

v1.3.1

v1.30.0

v1.30.0rc1

v1.30.1

v1.31.0

v1.31.0rc1

v1.32.0

v1.32.0rc1

v1.32.1

v1.32.2

v1.33.0

v1.33.0rc1

v1.33.0rc2

v1.33.1

v1.33.2

v1.34.0

v1.34.0rc1

v1.35.0

v1.35.0rc1

v1.35.0rc2

v1.35.1

v1.36.0

v1.36.0rc1

v1.36.0rc2

v1.37.0

v1.37.0rc1

v1.37.1

v1.37.1a1

v1.37.1rc1

v1.38.0

v1.38.0rc1

v1.38.0rc2

v1.38.0rc3

v1.38.1

v1.39.0

v1.39.0rc1

v1.39.0rc2

v1.39.0rc3

v1.4.0

v1.4.0rc1

v1.4.0rc2

v1.4.1

v1.4.1rc1

v1.40.0

v1.40.0rc1

v1.40.0rc2

v1.40.0rc3

v1.41.0

v1.41.0rc1

v1.41.1

v1.42.0

v1.42.0rc1

v1.42.0rc2

v1.43.0

v1.43.0rc1

v1.43.0rc2

v1.44.0

v1.44.0rc1

v1.44.0rc2

v1.44.0rc3

v1.45.0

v1.45.0rc1

v1.45.0rc2

v1.45.1

v1.46.0

v1.46.0rc1

v1.47.0

v1.47.0rc1

v1.47.0rc2

v1.47.0rc3

v1.5.0

v1.5.0rc1

v1.5.0rc2

v1.5.1

v1.6.0

v1.6.0rc1

v1.6.0rc2

v1.6.1

v1.7.0

v1.7.0rc1

v1.7.0rc2

v1.7.1

v1.7.2

v1.7.3

v1.8.0

v1.8.0rc1

v1.9.0

v1.9.0.dev1

v1.9.0.dev2

v1.9.0rc1

v1.9.1