AVG-2581 log
| Package | matrix-synapse |
| Status | Fixed |
| Severity | Medium |
| Type | directory traversal |
| Affected | 1.47.0-1 |
| Fixed | 1.47.1-1 |
| Current |
1.143.0-1 [extra-testing] 1.142.1-1 [extra] |
| Ticket | None |
| Created | Tue Nov 23 12:27:50 2021 |
| Issue | Severity | Remote | Type | Description |
|---|---|---|---|---|
| CVE-2021-41281 | Medium | Yes | Directory traversal | Synapse instances before version 1.47.1 with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary... |
| Notes |
|---|
A hardened systemd config is deployed in the Arch Linux package by default, which considerably limits the paths that Synapse has write access to. |