CVE-2021-21392 MEDIUM

CVE-2021-21392: Open redirect via transitional IPv6 addresses on dual-stack networks

Vendor Matrix-Org

Product synapse

Weakness CWE-601 · Open redirect

Published April 12, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. See referenced GitHub security advisory for details and workarounds.

Key dates

02Disclosure timeline

April 12, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-21392 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

CVE-2021-21392: Open redirect via transitional IPv6 addresses on dual-stack networks

01Description

02Disclosure timeline

03References

04Related CVE