CVE-2021-29471 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Denial of service
Description	In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue is patched in version 1.33.2. A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1943	matrix-synapse	1.29.0-1	1.33.2-1	Medium	Fixed	FS#70801

Date	Advisory	Group	Package	Severity	Type
25 May 2021	ASA-202105-19	AVG-1943	matrix-synapse	Medium	denial of service

References
https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85 https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c