Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

IP blacklist bypass via transitional IPv6 addresses on dual-stack networks

Moderate
richvdh published GHSA-5wrh-4jwv-5w78 Apr 12, 2021

Package

pip matrix-synapse (pip)

Affected versions

< 1.28.0

Patched versions

>= 1.28.0

Description

Impact

Requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks.

Patches

This issue is fixed by #9240.

Workarounds

Outbound requests to the following address ranges can be blocked by a firewall, if unused for internal communication between systems:

  • ::ffff/80
  • ::0000/80 (note that this IP range is considered deprecated by the IETF)
  • 2002::/16 (note that this IP range is considered deprecated by the IETF)

References

Severity

Moderate

CVE ID

CVE-2021-21392

Weaknesses

No CWEs

Credits