Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/18589?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/18589?format=api", "purl": "pkg:pypi/matrix-synapse@1.8.0", "type": "pypi", "namespace": "", "name": "matrix-synapse", "version": "1.8.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.106", "latest_non_vulnerable_version": "1.152.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36458?format=api", "vulnerability_id": "VCID-2q41-366b-jfbs", "summary": "Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews.", "references": [ { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/15601", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/15601" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.85.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.85.0" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-85.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-85.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207", "reference_id": "1037207", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32683", "reference_id": "CVE-2023-32683", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32683" }, { "reference_url": "https://github.com/advisories/GHSA-98px-6486-j7qc", "reference_id": "GHSA-98px-6486-j7qc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-98px-6486-j7qc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33942?format=api", "purl": "pkg:pypi/matrix-synapse@1.85.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-8zas-gnpp-3qfd" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-w6fr-65fa-9yhb" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.85.0" } ], "aliases": [ "CVE-2023-32683", "GHSA-98px-6486-j7qc", "PYSEC-2023-85" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2q41-366b-jfbs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36457?format=api", "vulnerability_id": "VCID-2uq2-kcfr-87gr", "summary": "Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the `jwt_config.enabled` configuration setting. 2. The local password database is enabled via the `password_config.enabled` and `password_config.localdb_enabled` configuration settings *and* a user's password is updated via an admin API after a user is deactivated. Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated. Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This issue has been addressed in version 1.85.0. Users are advised to upgrade.", "references": [ { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/issues/12274", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/issues/12274" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/15624", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/15624" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/15634", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/15634" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.85.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.85.0" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-84.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-84.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2" }, { "reference_url": "https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account" }, { "reference_url": "https://matrix-org.github.io/synapse/latest/jwt.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://matrix-org.github.io/synapse/latest/jwt.html" }, { "reference_url": "https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207", "reference_id": "1037207", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32682", "reference_id": "CVE-2023-32682", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32682" }, { "reference_url": "https://github.com/advisories/GHSA-26c5-ppr8-f33p", "reference_id": "GHSA-26c5-ppr8-f33p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-26c5-ppr8-f33p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33942?format=api", "purl": "pkg:pypi/matrix-synapse@1.85.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-8zas-gnpp-3qfd" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-w6fr-65fa-9yhb" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.85.0" } ], "aliases": [ "CVE-2023-32682", "GHSA-26c5-ppr8-f33p", "PYSEC-2023-84" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2uq2-kcfr-87gr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/7166?format=api", "vulnerability_id": "VCID-3sbj-6gut-cybe", "summary": "information disclosure", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39163", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.41913", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39163" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/cb35df940a", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/cb35df940a" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.41.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.41.1" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-424.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-424.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/" }, { "reference_url": "https://security.archlinux.org/AVG-2334", "reference_id": "AVG-2334", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2334" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39163", "reference_id": "CVE-2021-39163", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39163" }, { "reference_url": "https://github.com/advisories/GHSA-jj53-8fmw-f2w2", "reference_id": "GHSA-jj53-8fmw-f2w2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jj53-8fmw-f2w2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23499?format=api", "purl": "pkg:pypi/matrix-synapse@1.41.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-8zas-gnpp-3qfd" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.41.1" } ], "aliases": [ "CVE-2021-39163", "GHSA-jj53-8fmw-f2w2", "PYSEC-2021-424" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3sbj-6gut-cybe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36596?format=api", "vulnerability_id": "VCID-4vve-jkk2-rueg", "summary": "Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the `federation_domain_whitelist` can be used to limit federation traffic with a homeserver.", "references": [ { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-230.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-230.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY" }, { "reference_url": "https://security.gentoo.org/glsa/202401-12", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202401-12" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055255", "reference_id": "1055255", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055255" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43796", "reference_id": "CVE-2023-43796", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43796" }, { "reference_url": "https://github.com/advisories/GHSA-mp92-3jfm-3575", "reference_id": "GHSA-mp92-3jfm-3575", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mp92-3jfm-3575" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37740?format=api", "purl": "pkg:pypi/matrix-synapse@1.95.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.95.1" } ], "aliases": [ "CVE-2023-43796", "GHSA-mp92-3jfm-3575", "PYSEC-2023-230" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4vve-jkk2-rueg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51318?format=api", "vulnerability_id": "VCID-57xv-u1be-mfez", "summary": "Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.", "references": [ { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a" }, { "reference_url": "https://github.com/element-hq/synapse/issues/19394", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/issues/19394" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75426?format=api", "purl": "pkg:pypi/matrix-synapse@1.152.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.152.1" } ], "aliases": [ "CVE-2026-45078", "GHSA-8q93-326v-3m7g", "PYSEC-2026-191" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-57xv-u1be-mfez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35764?format=api", "vulnerability_id": "VCID-6bx9-6prt-vffg", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. This is fixed in version 1.27.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21332", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66555", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21332" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9200", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9200" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.27.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.27.0" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-133.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-133.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21332", "reference_id": "CVE-2021-21332", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21332" }, { "reference_url": "https://github.com/advisories/GHSA-246w-56m2-5899", "reference_id": "GHSA-246w-56m2-5899", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-246w-56m2-5899" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20458?format=api", "purl": "pkg:pypi/matrix-synapse@1.27.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-b461-xbt2-9fg1" }, { "vulnerability": "VCID-bmw9-6jkv-t3ds" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-j8zw-nzgv-mkeq" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-p7my-33nz-puhn" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.27.0" } ], "aliases": [ "CVE-2021-21332", "GHSA-246w-56m2-5899", "PYSEC-2021-133" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6bx9-6prt-vffg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35763?format=api", "vulnerability_id": "VCID-9jy7-pnmw-1bbq", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21333", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00385", "scoring_system": "epss", "scoring_elements": "0.60022", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21333" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9200", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9200" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.27.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.27.0" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-134.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-134.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21333", "reference_id": "CVE-2021-21333", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21333" }, { "reference_url": "https://github.com/advisories/GHSA-c5f8-35qr-q4fm", "reference_id": "GHSA-c5f8-35qr-q4fm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c5f8-35qr-q4fm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20458?format=api", "purl": "pkg:pypi/matrix-synapse@1.27.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-b461-xbt2-9fg1" }, { "vulnerability": "VCID-bmw9-6jkv-t3ds" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-j8zw-nzgv-mkeq" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-p7my-33nz-puhn" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.27.0" } ], "aliases": [ "CVE-2021-21333", "GHSA-c5f8-35qr-q4fm", "PYSEC-2021-134" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9jy7-pnmw-1bbq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36768?format=api", "vulnerability_id": "VCID-9t8r-dp58-xydr", "summary": "Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.", "references": [ { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a" }, { "reference_url": "https://github.com/element-hq/synapse/releases/tag/v1.105.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/releases/tag/v1.105.1" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-50.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-50.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069763", "reference_id": "1069763", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069763" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31208", "reference_id": "CVE-2024-31208", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31208" }, { "reference_url": "https://github.com/advisories/GHSA-3h7q-rfh9-xm4v", "reference_id": "GHSA-3h7q-rfh9-xm4v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3h7q-rfh9-xm4v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40927?format=api", "purl": "pkg:pypi/matrix-synapse@1.105.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.105.1" } ], "aliases": [ "CVE-2024-31208", "GHSA-3h7q-rfh9-xm4v", "PYSEC-2024-50" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9t8r-dp58-xydr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35795?format=api", "vulnerability_id": "VCID-b461-xbt2-9fg1", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 \"Push rules\" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue is patched in version 1.33.2. A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29471", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00337", "scoring_system": "epss", "scoring_elements": "0.56779", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29471" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.33.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.33.2" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-135.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-135.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://security.archlinux.org/ASA-202105-19", "reference_id": "ASA-202105-19", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202105-19" }, { "reference_url": "https://security.archlinux.org/AVG-1943", "reference_id": "AVG-1943", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1943" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29471", "reference_id": "CVE-2021-29471", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29471" }, { "reference_url": "https://github.com/advisories/GHSA-x345-32rc-8h85", "reference_id": "GHSA-x345-32rc-8h85", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x345-32rc-8h85" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/21876?format=api", "purl": "pkg:pypi/matrix-synapse@1.33.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.33.2" } ], "aliases": [ "CVE-2021-29471", "GHSA-x345-32rc-8h85", "PYSEC-2021-135" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b461-xbt2-9fg1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35774?format=api", "vulnerability_id": "VCID-bmw9-6jkv-t3ds", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21394", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00519", "scoring_system": "epss", "scoring_elements": "0.67124", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21394" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9321", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9321" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9393", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9393" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-27.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-27.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://pypi.org/project/matrix-synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/matrix-synapse" }, { "reference_url": "https://pypi.org/project/matrix-synapse/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.org/project/matrix-synapse/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21394", "reference_id": "CVE-2021-21394", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21394" }, { "reference_url": "https://github.com/advisories/GHSA-w9fg-xffh-p362", "reference_id": "GHSA-w9fg-xffh-p362", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w9fg-xffh-p362" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/21485?format=api", "purl": "pkg:pypi/matrix-synapse@1.28.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-b461-xbt2-9fg1" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0" } ], "aliases": [ "CVE-2021-21394", "GHSA-w9fg-xffh-p362", "PYSEC-2021-27" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bmw9-6jkv-t3ds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36452?format=api", "vulnerability_id": "VCID-bnz6-nw3z-77gd", "summary": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the requesting server should be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to upgrade.", "references": [ { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/issues/13288", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/issues/13288" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/13823", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/13823" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-45cj-f97f-ggwv", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-45cj-f97f-ggwv" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-65.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-65.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39335", "reference_id": "CVE-2022-39335", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39335" }, { "reference_url": "https://github.com/advisories/GHSA-45cj-f97f-ggwv", "reference_id": "GHSA-45cj-f97f-ggwv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-45cj-f97f-ggwv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33828?format=api", "purl": "pkg:pypi/matrix-synapse@1.69.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-8zas-gnpp-3qfd" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-w6fr-65fa-9yhb" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.69.0" } ], "aliases": [ "CVE-2022-39335", "GHSA-45cj-f97f-ggwv", "PYSEC-2023-65" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bnz6-nw3z-77gd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35729?format=api", "vulnerability_id": "VCID-buj8-8fqz-yyfe", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21273", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55549", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21273" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/8821", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/8821" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.25.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.25.0" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-131.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-131.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21273", "reference_id": "CVE-2021-21273", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21273" }, { "reference_url": "https://github.com/advisories/GHSA-v936-j8gp-9q3p", "reference_id": "GHSA-v936-j8gp-9q3p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v936-j8gp-9q3p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20185?format=api", "purl": "pkg:pypi/matrix-synapse@1.25.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-6bx9-6prt-vffg" }, { "vulnerability": "VCID-9jy7-pnmw-1bbq" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-b461-xbt2-9fg1" }, { "vulnerability": "VCID-bmw9-6jkv-t3ds" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-j8zw-nzgv-mkeq" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-p7my-33nz-puhn" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.25.0" } ], "aliases": [ "CVE-2021-21273", "GHSA-v936-j8gp-9q3p", "PYSEC-2021-131" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-buj8-8fqz-yyfe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/7165?format=api", "vulnerability_id": "VCID-d6yz-j1f9-cfec", "summary": "information disclosure", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39164", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00271", "scoring_system": "epss", "scoring_elements": "0.50764", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39164" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/cb35df940a", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/cb35df940a" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.41.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.41.1" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-425.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-425.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/" }, { "reference_url": "https://security.archlinux.org/AVG-2334", "reference_id": "AVG-2334", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2334" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39164", "reference_id": "CVE-2021-39164", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39164" }, { "reference_url": "https://github.com/advisories/GHSA-3x4c-pq33-4w3q", "reference_id": "GHSA-3x4c-pq33-4w3q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3x4c-pq33-4w3q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23499?format=api", "purl": "pkg:pypi/matrix-synapse@1.41.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-8zas-gnpp-3qfd" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.41.1" } ], "aliases": [ "CVE-2021-39164", "GHSA-3x4c-pq33-4w3q", "PYSEC-2021-425" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d6yz-j1f9-cfec" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36133?format=api", "vulnerability_id": "VCID-djck-vkte-q7he", "summary": "Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether. It is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for. Remote users are not able to exploit this directly, because the URL preview endpoint is authenticated. Deployments with `url_preview_enabled: false` set in configuration are not affected. Deployments with `url_preview_enabled: true` set in configuration **are** affected. Deployments with no configuration value set for `url_preview_enabled` are not affected, because the default is `false`. Administrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher. Users unable to upgrade should set `url_preview_enabled` to false.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31052", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.59487", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31052" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-224.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-224.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31052", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31052" }, { "reference_url": "https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28213?format=api", "purl": "pkg:pypi/matrix-synapse@1.61.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-8zas-gnpp-3qfd" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.61.1" } ], "aliases": [ "CVE-2022-31052", "GHSA-22p3-qrh9-cx32", "PYSEC-2022-224" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-djck-vkte-q7he" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36948?format=api", "vulnerability_id": "VCID-ewxj-3jt9-p7af", "summary": "Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.", "references": [ { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr" }, { "reference_url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37303", "reference_id": "CVE-2024-37303", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37303" }, { "reference_url": "https://github.com/advisories/GHSA-gjgr-7834-rhxr", "reference_id": "GHSA-gjgr-7834-rhxr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gjgr-7834-rhxr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83453?format=api", "purl": "pkg:pypi/matrix-synapse@1.106", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106" }, { "url": "http://public2.vulnerablecode.io/api/packages/44195?format=api", "purl": "pkg:pypi/matrix-synapse@1.106.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-57xv-u1be-mfez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106.0" } ], "aliases": [ "CVE-2024-37303", "GHSA-gjgr-7834-rhxr", "PYSEC-2024-287" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ewxj-3jt9-p7af" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/7001?format=api", "vulnerability_id": "VCID-ftmr-xpa4-mbfd", "summary": "directory traversal", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41281", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.68141", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41281" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/91f2bd090", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/91f2bd090" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-436.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-436.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000451", "reference_id": "1000451", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000451" }, { "reference_url": "https://security.archlinux.org/AVG-2581", "reference_id": "AVG-2581", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2581" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41281", "reference_id": "CVE-2021-41281", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41281" }, { "reference_url": "https://github.com/advisories/GHSA-3hfw-x7gx-437c", "reference_id": "GHSA-3hfw-x7gx-437c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3hfw-x7gx-437c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/25067?format=api", "purl": "pkg:pypi/matrix-synapse@1.47.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-8zas-gnpp-3qfd" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.47.1" } ], "aliases": [ "CVE-2021-41281", "GHSA-3hfw-x7gx-437c", "PYSEC-2021-436" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ftmr-xpa4-mbfd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36181?format=api", "vulnerability_id": "VCID-gre7-9vu7-vqdh", "summary": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including version 1.61.0, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers. Administrators of homeservers with federation enabled are advised to upgrade to version 1.62.0 or higher. Federation can be disabled by setting [`federation_domain_whitelist`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist) to an empty list (`[]`) as a workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31152", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00731", "scoring_system": "epss", "scoring_elements": "0.73063", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31152" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/d4b1c0d800eaa83c4d56a9cf17881ad362b9194b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/d4b1c0d800eaa83c4d56a9cf17881ad362b9194b" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/e16ea87d0f8c4c30cad36f85488eb1f647e640b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/e16ea87d0f8c4c30cad36f85488eb1f647e640b0" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/13087", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/13087" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/13088", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/13088" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.62.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.62.0" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-262.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-262.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31152", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31152" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29119?format=api", "purl": "pkg:pypi/matrix-synapse@1.62.0rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-8zas-gnpp-3qfd" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.62.0rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/29122?format=api", "purl": "pkg:pypi/matrix-synapse@1.62.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1r3j-umak-ebhe" }, { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-8zas-gnpp-3qfd" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.62.0" } ], "aliases": [ "CVE-2022-31152", "GHSA-jhjh-776m-4765", "PYSEC-2022-262" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gre7-9vu7-vqdh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35775?format=api", "vulnerability_id": "VCID-j8zw-nzgv-mkeq", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. See referenced GitHub security advisory for details and workarounds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21392", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.41964", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21392" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/4ca054a4eaa714d0befb4fc30b19a1131e52c9cc", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/4ca054a4eaa714d0befb4fc30b19a1131e52c9cc" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9240", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9240" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-25.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-25.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://pypi.org/project/matrix-synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/matrix-synapse" }, { "reference_url": "https://pypi.org/project/matrix-synapse/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.org/project/matrix-synapse/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21392", "reference_id": "CVE-2021-21392", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21392" }, { "reference_url": "https://github.com/advisories/GHSA-5wrh-4jwv-5w78", "reference_id": "GHSA-5wrh-4jwv-5w78", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5wrh-4jwv-5w78" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/21484?format=api", "purl": "pkg:pypi/matrix-synapse@1.28.0rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-b461-xbt2-9fg1" }, { "vulnerability": "VCID-bmw9-6jkv-t3ds" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-j8zw-nzgv-mkeq" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-p7my-33nz-puhn" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/21485?format=api", "purl": "pkg:pypi/matrix-synapse@1.28.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-b461-xbt2-9fg1" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0" } ], "aliases": [ "CVE-2021-21392", "GHSA-5wrh-4jwv-5w78", "PYSEC-2021-25" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j8zw-nzgv-mkeq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35730?format=api", "vulnerability_id": "VCID-jsxu-cjjr-nfhw", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. Issue is resolved in version 1.25.0. As a workaround the `federation_domain_whitelist` setting can be used to restrict the homeservers communicated with over federation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21274", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00446", "scoring_system": "epss", "scoring_elements": "0.63786", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21274" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/ff5c4da1289cb5e097902b3e55b771be342c29d6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/ff5c4da1289cb5e097902b3e55b771be342c29d6" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/8950", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/8950" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.25.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.25.0" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-2hwx-mjrm-v3g8", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-2hwx-mjrm-v3g8" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-132.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-132.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21274", "reference_id": "CVE-2021-21274", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21274" }, { "reference_url": "https://github.com/advisories/GHSA-2hwx-mjrm-v3g8", "reference_id": "GHSA-2hwx-mjrm-v3g8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2hwx-mjrm-v3g8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20185?format=api", "purl": "pkg:pypi/matrix-synapse@1.25.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-6bx9-6prt-vffg" }, { "vulnerability": "VCID-9jy7-pnmw-1bbq" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-b461-xbt2-9fg1" }, { "vulnerability": "VCID-bmw9-6jkv-t3ds" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-j8zw-nzgv-mkeq" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-p7my-33nz-puhn" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.25.0" } ], "aliases": [ "CVE-2021-21274", "GHSA-2hwx-mjrm-v3g8", "PYSEC-2021-132" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jsxu-cjjr-nfhw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36567?format=api", "vulnerability_id": "VCID-mgxc-w86p-yqcm", "summary": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45129.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45129.json" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/f84da3c32ec74cf054e2fd6d10618aa4997cffaa", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/f84da3c32ec74cf054e2fd6d10618aa4997cffaa" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/16360", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/16360" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-199.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-199.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3" }, { "reference_url": "https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version" }, { "reference_url": "https://security.gentoo.org/glsa/202401-12", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202401-12" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243128", "reference_id": "2243128", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243128" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45129", "reference_id": "CVE-2023-45129", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45129" }, { "reference_url": "https://github.com/advisories/GHSA-5chr-wjw5-3gq4", "reference_id": "GHSA-5chr-wjw5-3gq4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5chr-wjw5-3gq4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36321?format=api", "purl": "pkg:pypi/matrix-synapse@1.94.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.94.0" } ], "aliases": [ "CVE-2023-45129", "GHSA-5chr-wjw5-3gq4", "PYSEC-2023-199" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mgxc-w86p-yqcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/5786?format=api", "vulnerability_id": "VCID-mqta-hmxv-duh6", "summary": "denial of service", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26890", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00572", "scoring_system": "epss", "scoring_elements": "0.6906", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26890" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-4mp3-385r-v63f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-4mp3-385r-v63f" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-237.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-237.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ/" }, { "reference_url": "https://pypi.org/project/matrix-synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/matrix-synapse" }, { "reference_url": "https://security.archlinux.org/ASA-202011-23", "reference_id": "ASA-202011-23", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202011-23" }, { "reference_url": "https://security.archlinux.org/AVG-1296", "reference_id": "AVG-1296", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1296" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26890", "reference_id": "CVE-2020-26890", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26890" }, { "reference_url": "https://github.com/advisories/GHSA-4mp3-385r-v63f", "reference_id": "GHSA-4mp3-385r-v63f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4mp3-385r-v63f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18643?format=api", "purl": "pkg:pypi/matrix-synapse@1.20.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-6bx9-6prt-vffg" }, { "vulnerability": "VCID-9jy7-pnmw-1bbq" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-b461-xbt2-9fg1" }, { "vulnerability": "VCID-bmw9-6jkv-t3ds" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-buj8-8fqz-yyfe" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-j8zw-nzgv-mkeq" }, { "vulnerability": "VCID-jsxu-cjjr-nfhw" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-p7my-33nz-puhn" }, { "vulnerability": "VCID-rab2-vwyz-ufdt" }, { "vulnerability": "VCID-swgx-he8k-1qhy" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.20.0" } ], "aliases": [ "CVE-2020-26890", "GHSA-4mp3-385r-v63f", "PYSEC-2020-237" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mqta-hmxv-duh6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35776?format=api", "vulnerability_id": "VCID-p7my-33nz-puhn", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21393", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00548", "scoring_system": "epss", "scoring_elements": "0.68252", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21393" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/3f58fc848d0002de4605bed91603a1f9f245d128", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/3f58fc848d0002de4605bed91603a1f9f245d128" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/d2f0ec12d5c8f113095408888e87e191ac546499", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/d2f0ec12d5c8f113095408888e87e191ac546499" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9321", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9321" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9393", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9393" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-26.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-26.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://pypi.org/project/matrix-synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/matrix-synapse" }, { "reference_url": "https://pypi.org/project/matrix-synapse/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.org/project/matrix-synapse/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21393", "reference_id": "CVE-2021-21393", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21393" }, { "reference_url": "https://github.com/advisories/GHSA-jrh7-mhhx-6h88", "reference_id": "GHSA-jrh7-mhhx-6h88", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jrh7-mhhx-6h88" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/21485?format=api", "purl": "pkg:pypi/matrix-synapse@1.28.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-b461-xbt2-9fg1" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0" } ], "aliases": [ "CVE-2021-21393", "GHSA-jrh7-mhhx-6h88", "PYSEC-2021-26" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p7my-33nz-puhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35690?format=api", "vulnerability_id": "VCID-rab2-vwyz-ufdt", "summary": "Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference \"homeserver\" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`, `/send_leave`, `/invite` or `/exchange_third_party_invite` request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers. The Matrix Synapse reference implementation before version 1.23.1 the implementation is vulnerable to this injection attack. Issue is fixed in version 1.23.1. As a workaround homeserver administrators could limit access to the federation API to trusted servers (for example via `federation_domain_whitelist`).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26257", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0045", "scoring_system": "epss", "scoring_elements": "0.63967", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26257" }, { "reference_url": "https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/8776", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/8776" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-236.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-236.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/" }, { "reference_url": "https://security.archlinux.org/AVG-1341", "reference_id": "AVG-1341", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1341" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26257", "reference_id": "CVE-2020-26257", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26257" }, { "reference_url": "https://github.com/advisories/GHSA-hxmp-pqch-c8mm", "reference_id": "GHSA-hxmp-pqch-c8mm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hxmp-pqch-c8mm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19296?format=api", "purl": "pkg:pypi/matrix-synapse@1.23.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-6bx9-6prt-vffg" }, { "vulnerability": "VCID-9jy7-pnmw-1bbq" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-b461-xbt2-9fg1" }, { "vulnerability": "VCID-bmw9-6jkv-t3ds" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-buj8-8fqz-yyfe" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-j8zw-nzgv-mkeq" }, { "vulnerability": "VCID-jsxu-cjjr-nfhw" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-p7my-33nz-puhn" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.23.1" } ], "aliases": [ "CVE-2020-26257", "GHSA-hxmp-pqch-c8mm", "PYSEC-2020-236" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rab2-vwyz-ufdt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/5821?format=api", "vulnerability_id": "VCID-swgx-he8k-1qhy", "summary": "cross-site scripting", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26891", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00439", "scoring_system": "epss", "scoring_elements": "0.63478", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26891" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/8444", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/8444" }, { "reference_url": "https://github.com/matrix-org/synapse/releases", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.21.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.21.2" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-238.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-238.yaml" }, { "reference_url": "https://matrix.org/blog/2020/10/15/synapse-1-21-2-released-and-security-advisory", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://matrix.org/blog/2020/10/15/synapse-1-21-2-released-and-security-advisory" }, { "reference_url": "https://security.archlinux.org/ASA-202011-4", "reference_id": "ASA-202011-4", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202011-4" }, { "reference_url": "https://security.archlinux.org/AVG-1252", "reference_id": "AVG-1252", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1252" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26891", "reference_id": "CVE-2020-26891", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26891" }, { "reference_url": "https://github.com/advisories/GHSA-3x8c-fmpc-5rmq", "reference_id": "GHSA-3x8c-fmpc-5rmq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3x8c-fmpc-5rmq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18648?format=api", "purl": "pkg:pypi/matrix-synapse@1.21.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-3sbj-6gut-cybe" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-6bx9-6prt-vffg" }, { "vulnerability": "VCID-9jy7-pnmw-1bbq" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-b461-xbt2-9fg1" }, { "vulnerability": "VCID-bmw9-6jkv-t3ds" }, { "vulnerability": "VCID-bnz6-nw3z-77gd" }, { "vulnerability": "VCID-buj8-8fqz-yyfe" }, { "vulnerability": "VCID-d6yz-j1f9-cfec" }, { "vulnerability": "VCID-djck-vkte-q7he" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-ftmr-xpa4-mbfd" }, { "vulnerability": "VCID-gre7-9vu7-vqdh" }, { "vulnerability": "VCID-j8zw-nzgv-mkeq" }, { "vulnerability": "VCID-jsxu-cjjr-nfhw" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-p7my-33nz-puhn" }, { "vulnerability": "VCID-rab2-vwyz-ufdt" }, { "vulnerability": "VCID-ubx5-xans-8bey" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.21.0" } ], "aliases": [ "CVE-2020-26891", "GHSA-3x8c-fmpc-5rmq", "PYSEC-2020-238" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-swgx-he8k-1qhy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36451?format=api", "vulnerability_id": "VCID-ubx5-xans-8bey", "summary": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.", "references": [ { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/issues/14492", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/issues/14492" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/14642", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/14642" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32323", "reference_id": "CVE-2023-32323", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32323" }, { "reference_url": "https://github.com/advisories/GHSA-f3wc-3vxv-xmvr", "reference_id": "GHSA-f3wc-3vxv-xmvr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f3wc-3vxv-xmvr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33841?format=api", "purl": "pkg:pypi/matrix-synapse@1.74.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2q41-366b-jfbs" }, { "vulnerability": "VCID-2uq2-kcfr-87gr" }, { "vulnerability": "VCID-4vve-jkk2-rueg" }, { "vulnerability": "VCID-57xv-u1be-mfez" }, { "vulnerability": "VCID-8zas-gnpp-3qfd" }, { "vulnerability": "VCID-9t8r-dp58-xydr" }, { "vulnerability": "VCID-ewxj-3jt9-p7af" }, { "vulnerability": "VCID-mgxc-w86p-yqcm" }, { "vulnerability": "VCID-w6fr-65fa-9yhb" }, { "vulnerability": "VCID-z4xn-smp8-tfcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.74.0" } ], "aliases": [ "CVE-2023-32323", "GHSA-f3wc-3vxv-xmvr", "PYSEC-2023-67" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ubx5-xans-8bey" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36947?format=api", "vulnerability_id": "VCID-z4xn-smp8-tfcj", "summary": "Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new \"leaky bucket\" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.", "references": [ { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37302", "reference_id": "CVE-2024-37302", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37302" }, { "reference_url": "https://github.com/advisories/GHSA-4mhg-xv73-xq2x", "reference_id": "GHSA-4mhg-xv73-xq2x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4mhg-xv73-xq2x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83453?format=api", "purl": "pkg:pypi/matrix-synapse@1.106", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106" }, { "url": "http://public2.vulnerablecode.io/api/packages/44195?format=api", "purl": "pkg:pypi/matrix-synapse@1.106.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-57xv-u1be-mfez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106.0" } ], "aliases": [ "CVE-2024-37302", "GHSA-4mhg-xv73-xq2x", "PYSEC-2024-286" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z4xn-smp8-tfcj" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.8.0" }