Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2021-39164

Опубликовано: 31 авг. 2021
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS2: 3.5
CVSS3: 3.1

Описание

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with shared history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the patch. One workaround is available. Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the endpoints: /_matrix/client/r0/rooms/{room_id}/members with at query parameter, and /_matrix/client/unstable/rooms/{room_id}/members with at query parameter.

РелизСтатусПримечание
bionic

ignored

end of standard support, was needed
esm-apps/bionic

needed

esm-apps/focal

needed

esm-apps/jammy

needs-triage

esm-apps/noble

not-affected

1.64.0-3
esm-infra-legacy/trusty

DNE

focal

ignored

end of standard support, was needed
hirsute

ignored

end of life
impish

ignored

end of life
jammy

needs-triage

Показывать по

Ссылки на источники

EPSS

Процентиль: 65%
0.00485
Низкий

3.5 Low

CVSS2

3.1 Low

CVSS3

Связанные уязвимости

nvd логотип

CVE-2021-39164

CVSS3: 3.1
nvd
больше 4 лет назад

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the patch. One workaround is available. Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the endpoints: `/_matrix/client/r0/rooms/{room_id}/members` with `at` query parameter, and `/_matrix/client/unstable/rooms/{room_id}/members` with `at` query parameter.

debian логотип

CVE-2021-39164

CVSS3: 3.1
debian
больше 4 лет назад

Matrix is an ecosystem for open federated Instant Messaging and Voice ...

github логотип

GHSA-3x4c-pq33-4w3q

CVSS3: 3.1
github
больше 4 лет назад

Improper authorisation of members discloses room membership to non-members

EPSS

Процентиль: 65%
0.00485
Низкий

3.5 Low

CVSS2

3.1 Low

CVSS3