CVE-2021-29453

Published: Apr 19, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

5.7

MEDIUM

Description

matrix-media-repo is an open-source multi-domain media repository for Matrix. Versions 1.2.6 and earlier of matrix-media-repo do not properly handle malicious images which are crafted to be small in file size, but large in complexity. A malicious user could upload a relatively small image in terms of file size, using particular image formats, which expands to have extremely large dimensions during the process of thumbnailing. The server can be exhausted of memory in the process of trying to load the whole image into memory for thumbnailing, leading to denial of service. Version 1.2.7 has a fix for the vulnerability.

Vendor	Product	Versions
turt2live	matrix-media-repo	affected `<= 1.2.6`

Weaknesses (CWE)

CWE-400

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/turt2live/matrix-media-repo/security/advisories/GHSA-j889-h476-hh9h

x_refsource_CONFIRM

https://hub.docker.com/r/turt2live/matrix-media-repo/tags?page=1&ordering=last_updated

x_refsource_MISC

https://github.com/turt2live/matrix-media-repo/releases/tag/v1.2.7

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-29453

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References