Discover the impact of CVE-2021-21273 on Synapse. Learn about the vulnerability allowing open redirects on some federation and push requests, its implications, and mitigation steps.
Synapse, a Matrix reference homeserver, was found to have open redirects on some federation and push requests before version 1.25.0. This vulnerability could lead to requests being made to internal infrastructure, potentially compromising security.
Understanding CVE-2021-21273
This CVE refers to the issue of unrestricted domain requests in Synapse, allowing requests to be made to internal infrastructure.
What is CVE-2021-21273?
Synapse, a Python-based Matrix reference homeserver, had a flaw that enabled requests to user-provided domains without restrictions, leading to potential requests to internal infrastructure.
The Impact of CVE-2021-21273
The vulnerability could result in unauthorized requests being made to internal infrastructure, potentially exposing sensitive information or causing disruptions.
Technical Details of CVE-2021-21273
The vulnerability is rated with a CVSS base score of 3.1 (Low severity), with high attack complexity and required user interaction.
Vulnerability Description
Requests to user-provided domains in Synapse were not limited to external IPs, allowing requests to internal infrastructure, compromising security.
Affected Systems and Versions
Synapse versions prior to 1.25.0 are affected by this vulnerability.
Exploitation Mechanism
The issue arises from the lack of domain restriction for user-provided domains which allows requests to internal infrastructure.
Mitigation and Prevention
It is crucial to take immediate action to secure systems against this vulnerability.
Immediate Steps to Take
Server administrators should upgrade to Synapse version 1.25.0 or later and remove the deprecated
federation_ip_range_blacklist
setting for enhanced protection.
Long-Term Security Practices
Regularly monitor for updates and security advisories related to Synapse to stay informed about potential vulnerabilities.
Patching and Updates
Ensure that systems are promptly patched with the latest updates from Matrix.org to mitigate the risk of open redirects on federation and push requests.