Vulnerability Description
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the patch. One workaround is available. Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the endpoints: `/_matrix/client/r0/rooms/{room_id}/members` with `at` query parameter, and `/_matrix/client/unstable/rooms/{room_id}/members` with `at` query parameter.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Matrix | Synapse | < 1.41.1 |
| Fedoraproject | Fedora | 34 |
Related Weaknesses (CWE)
References
- https://github.com/matrix-org/synapse/commit/cb35df940aPatchThird Party Advisory
- https://github.com/matrix-org/synapse/releases/tag/v1.41.1Release NotesThird Party Advisory
- https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3qThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://github.com/matrix-org/synapse/commit/cb35df940aPatchThird Party Advisory
- https://github.com/matrix-org/synapse/releases/tag/v1.41.1Release NotesThird Party Advisory
- https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3qThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2021-39164?
CVE-2021-39164 is a vulnerability with a CVSS score of 3.1 (LOW). Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of...
How severe is CVE-2021-39164?
CVE-2021-39164 has been rated LOW with a CVSS base score of 3.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39164?
Check the references section above for vendor advisories and patch information. Affected products include: Matrix Synapse, Fedoraproject Fedora.