CVE-2021-29453
CVSS V2 Medium 4
CVSS V3 Medium 6.5
Description
matrix-media-repo is an open-source multi-domain media repository for Matrix. Versions 1.2.6 and earlier of matrix-media-repo do not properly handle malicious images which are crafted to be small in file size, but large in complexity. A malicious user could upload a relatively small image in terms of file size, using particular image formats, which expands to have extremely large dimensions during the process of thumbnailing. The server can be exhausted of memory in the process of trying to load the whole image into memory for thumbnailing, leading to denial of service. Version 1.2.7 has a fix for the vulnerability.
Overview
- CVE ID
- CVE-2021-29453
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2021-04-19T19:15:17
- Last Modified Date
- 2022-08-03T10:18:44
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:matrix-media-repo_project:matrix-media-repo:*:*:*:*:*:*:*:* | 1 | OR | 1.2.7 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:S/C:N/I:N/A:P
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- SINGLE
- Confidentiality Impact
- NONE
- Integrity Impact
- NONE
- Availability Impact
- PARTIAL
- Base Score
- 4
- Severity
- MEDIUM
- Exploitability Score
- 8
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- NONE
- Availability Impact
- HIGH
- Base Score
- 6.5
- Base Severity
- MEDIUM
- Exploitability Score
- 2.8
- Impact Score
- 3.6
References
| Reference URL | Reference Tags |
|---|---|
| https://hub.docker.com/r/turt2live/matrix-media-repo/tags?page=1&ordering=last_updated | Third Party Advisory |
| https://github.com/turt2live/matrix-media-repo/releases/tag/v1.2.7 | Release Notes Third Party Advisory |
| https://github.com/turt2live/matrix-media-repo/security/advisories/GHSA-j889-h476-hh9h | Patch Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2021-29453 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29453 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 07:14:00 | Added to TrackCVE | |||
| 2022-12-06 02:06:44 | 2021-04-19T19:15Z | 2021-04-19T19:15:17 | CVE Published Date | updated |
| 2022-12-06 02:06:44 | 2022-08-03T10:18:44 | CVE Modified Date | updated | |
| 2022-12-06 02:06:44 | Analyzed | Vulnerability Status | updated |