{
  "schema_version": "1.4.0",
  "id": "GHSA-jrh7-mhhx-6h88",
  "modified": "2024-09-30T20:39:15Z",
  "published": "2021-04-13T15:12:40Z",
  "aliases": [
    "CVE-2021-21393"
  ],
  "summary": "Denial of service (via resource exhaustion) due to improper input validation on groups/communities endpoints",
  "details": "### Impact\nMissing input validation of some parameters on the groups (also known as communities) endpoints could cause excessive use of disk space and memory leading to resource exhaustion. Additionally clients may have issues rendering large fields.\n\n### Patches\nThis issue is fixed by #9321 and #9393.\n\n### Workarounds\nThe groups feature can be disabled (by setting `enable_group_creation` to `False`) to mitigate this issue. Note that it is disabled by default.\n\n### Other information\nNote that the groups feature is not part of the [Matrix specification](https://matrix.org/docs/spec/) and the chosen maximum lengths are arbitrary. Not all clients might abide by them.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
    },
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.28.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21393"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/pull/9321"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/pull/9393"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/commit/3f58fc848d0002de4605bed91603a1f9f245d128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/commit/d2f0ec12d5c8f113095408888e87e191ac546499"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/synapse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-26.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/matrix-synapse"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-12T20:48:55Z",
    "nvd_published_at": "2021-04-12T22:15:00Z"
  }
}