CVE-2021-39163 Information

Description

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior unauthorised users can access the name avatar topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups (communities). By default only homeserver administrators can create groups. However homeserver administrators can already access this information in the database or using the admin API. As a result only homeservers where the configuration setting enable_group_creation has been set to true are impacted. Server administrators should upgrade to 1.41.1 or higher to patch the vulnerability. There are two potential workarounds. Server administrators can set enable_group_creation to false in their homeserver configuration (this is the default value) to prevent creation of groups by non-administrators. Administrators that are using a reverse proxy could with partial loss of group functionality block the endpoints /_matrix/client/r0/groups/group_id/rooms and /_matrix/client/unstable/groups/group_id/rooms.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Reference

https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2 https://github.com/matrix-org/synapse/releases/tag/v1.41.1 https://github.com/matrix-org/synapse/commit/cb35df940a https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

3.1