First Last Prev Next    This bug is not in your last search results.
Bug 1184754 - (CVE-2021-21392) VUL-0: CVE-2021-21392: matrix-synapse: IP blacklist bypass via transitional IPv6 addresses on dual-stack networks
(CVE-2021-21392)
VUL-0: CVE-2021-21392: matrix-synapse: IP blacklist bypass via transitional I...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Oliver Kurz
Security Team bot
https://smash.suse.de/issue/281660/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-14 15:08 UTC by Alexander Bergmann
Modified: 2021-04-14 15:15 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-04-14 15:08:45 UTC 
rh#1949111

In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. See referenced GitHub security advisory for details and workarounds.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1949111
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21392
https://github.com/matrix-org/synapse/pull/9240
https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78
https://pypi.org/project/matrix-synapse/
First Last Prev Next    This bug is not in your last search results.