CVE-2021-21404

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Syncthing versions prior to 1.15.0

Description The issue allows a malicious relay server to cause Syncthing to crash by sending a malformed relay protocol message with a negative length field. Similarly, the relay server strelaysrv can be crashed by sending such a message. This can happen when Syncthing attempts to join a relay and is given a malformed message. It's noted that sensitive data is not exposed due to this issue, and Syncthing would need to be connected to a malicious relay server to exploit it.

Recommendations For Syncthing versions prior to 1.15.0, update to version 1.15.0 to resolve the issue. As a temporary workaround, consider configuring Syncthing to not use relays, or to only use specific, trusted relays, to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2021-2071

ALT-PU-2021-2113

ALT-PU-2024-3833

BIT-SYNCTHING-2021-21404

CVE-2021-21404

GHSA-X462-89PF-6R5H

GO-2022-0888

OPENSUSE-SU-2021:0688-1

OPENSUSE-SU-2021:0713-1

OPENSUSE-SU-2021_0688-1

OPENSUSE-SU-2024:11417-1

Affected Products

Alt Linux

Suse

Syncthing

CVE-2021-21404

Weakness Enumeration

Related Identifiers

Affected Products

References · 21