CVE-2021-21273

Name of the Vulnerable Software and Affected Versions: Synapse versions prior to 1.25.0

Description: The issue concerns Synapse, a Matrix reference homeserver written in python, where requests to user-provided domains were not restricted to external IP addresses when calculating key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible.

Recommendations: For Synapse versions prior to 1.25.0, upgrade to Synapse version 1.25.0. After upgrading, remove the deprecated federation ip range blacklist from settings to use the improved default IP address restrictions. Consider using the new ip range blacklist and ip range whitelist settings for more specific control if necessary. As a temporary workaround, consider blocking requests to internal IP addresses at the system or network level.