ghsa-3x4c-pq33-4w3q
Vulnerability from github
Published
2021-09-01 18:25
Modified
2024-09-24 15:36
Severity ?
Summary
Improper authorisation of members discloses room membership to non-members
Details
Impact
Unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with shared
history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room.
Patches
Server administrators should upgrade to 1.41.1 or later.
Workarounds
Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the following endpoints:
* /_matrix/client/r0/rooms/{room_id}/members
with at
query parameter
* /_matrix/client/unstable/rooms/{room_id}/members
with at
query parameter
References
n/a
For more information
If you have any questions or comments about this advisory, e-mail us at security@matrix.org.
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "matrix-synapse" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.41.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-39164" ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2021-08-31T19:13:32Z", "nvd_published_at": "2021-08-31T17:15:00Z", "severity": "LOW" }, "details": "### Impact\nUnauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room.\n\n### Patches\nServer administrators should upgrade to 1.41.1 or later.\n\n### Workarounds\nAdministrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the following endpoints:\n* `/_matrix/client/r0/rooms/{room_id}/members` with `at` query parameter\n* `/_matrix/client/unstable/rooms/{room_id}/members` with `at` query parameter\n\n### References\nn/a\n\n### For more information\nIf you have any questions or comments about this advisory, e-mail us at security@matrix.org.", "id": "GHSA-3x4c-pq33-4w3q", "modified": "2024-09-24T15:36:22Z", "published": "2021-09-01T18:25:27Z", "references": [ { "type": "WEB", "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39164" }, { "type": "WEB", "url": "https://github.com/matrix-org/synapse/commit/cb35df940a" }, { "type": "PACKAGE", "url": "https://github.com/matrix-org/synapse" }, { "type": "WEB", "url": "https://github.com/matrix-org/synapse/releases/tag/v1.41.1" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-425.yaml" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Improper authorisation of members discloses room membership to non-members" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.