{"id":"PYSEC-2021-132","details":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. Issue is resolved in version 1.25.0. As a workaround the `federation_domain_whitelist` setting can be used to restrict the homeservers communicated with over federation.","aliases":["CVE-2021-21274","GHSA-2hwx-mjrm-v3g8"],"modified":"2023-11-01T04:54:10.306158Z","published":"2021-02-26T18:15:00Z","references":[{"type":"WEB","url":"https://github.com/matrix-org/synapse/releases/tag/v1.25.0"},{"type":"FIX","url":"https://github.com/matrix-org/synapse/commit/ff5c4da1289cb5e097902b3e55b771be342c29d6"},{"type":"WEB","url":"https://github.com/matrix-org/synapse/pull/8950"},{"type":"ADVISORY","url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-2hwx-mjrm-v3g8"}],"affected":[{"package":{"name":"matrix-synapse","ecosystem":"PyPI","purl":"pkg:pypi/matrix-synapse"},"ranges":[{"type":"GIT","repo":"https://github.com/matrix-org/synapse","events":[{"introduced":"0"},{"fixed":"ff5c4da1289cb5e097902b3e55b771be342c29d6"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0.99.0"},{"fixed":"1.25.0"}]}],"versions":["0.99.0","0.99.1","0.99.1.1","0.99.1rc1","0.99.1rc2","0.99.2","0.99.2rc1","0.99.3","0.99.3.1","0.99.3.2","0.99.3rc1","0.99.4","0.99.4rc1","0.99.5","0.99.5.1","0.99.5.2","0.99.5rc1","1.0.0","1.0.0rc1","1.0.0rc2","1.0.0rc3","1.1.0","1.1.0rc1","1.1.0rc2","1.10.0","1.10.0rc1","1.10.0rc2","1.10.0rc3","1.10.0rc5","1.10.1","1.11.0","1.11.0rc1","1.11.1","1.12.0","1.12.0rc1","1.12.1","1.12.1rc1","1.12.2","1.12.3","1.12.4","1.12.4rc1","1.13.0","1.13.0rc1","1.13.0rc2","1.13.0rc3","1.14.0","1.14.0rc1","1.14.0rc2","1.15.0","1.15.0rc1","1.15.1","1.15.2","1.16.0","1.16.0rc1","1.16.0rc2","1.16.1","1.17.0","1.17.0rc1","1.18.0","1.18.0rc1","1.18.0rc2","1.19.0","1.19.0rc1","1.19.1","1.19.1rc1","1.19.2","1.19.3","1.2.0","1.2.0rc1","1.2.0rc2","1.2.1","1.20.0","1.20.0rc1","1.20.0rc2","1.20.0rc3","1.20.0rc4","1.20.0rc5","1.20.1","1.21.0","1.21.0rc1","1.21.0rc2","1.21.0rc3","1.21.1","1.21.2","1.22.0","1.22.0rc1","1.22.0rc2","1.22.1","1.23.0","1.23.0rc1","1.23.1","1.24.0","1.24.0rc1","1.24.0rc2","1.25.0rc1","1.3.0","1.3.0rc1","1.3.1","1.4.0","1.4.0rc1","1.4.0rc2","1.4.1","1.4.1rc1","1.5.0","1.5.0rc1","1.5.0rc2","1.5.1","1.6.0","1.6.0rc1","1.6.0rc2","1.6.1","1.7.0","1.7.0rc1","1.7.0rc2","1.7.1","1.7.2","1.7.3","1.8.0","1.8.0rc1","1.9.0","1.9.0.dev1","1.9.0.dev2","1.9.0rc1","1.9.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/matrix-synapse/PYSEC-2021-132.yaml"}}],"schema_version":"1.7.3"}