CVE-2021-39163

Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.

Description

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups (communities). By default, only homeserver administrators can create groups. However, homeserver administrators can already access this information in the database or using the admin API. As a result, only homeservers where the configuration setting `enable_group_creation` has been set to `true` are impacted. Server administrators should upgrade to 1.41.1 or higher to patch the vulnerability. There are two potential workarounds. Server administrators can set `enable_group_creation` to `false` in their homeserver configuration (this is the default value) to prevent creation of groups by non-administrators. Administrators that are using a reverse proxy could, with partial loss of group functionality, block the endpoints `/_matrix/client/r0/groups/{group_id}/rooms` and `/_matrix/client/unstable/groups/{group_id}/rooms`.

Categories

3.1
CVSS
Severity: Low
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.27%
Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org
Affected: matrix-org synapse
Published at:
Updated at:

References

Link Tags
https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2 mitigation third party advisory
https://github.com/matrix-org/synapse/commit/cb35df940a third party advisory patch
https://github.com/matrix-org/synapse/releases/tag/v1.41.1 third party advisory release notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/ vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-39163?
CVE-2021-39163 has been scored as a low severity vulnerability.
How to fix CVE-2021-39163?
To fix CVE-2021-39163, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-39163 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-39163 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-39163?
CVE-2021-39163 affects matrix-org synapse.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.