CVE Vulnerability

CVE-2021-29453

matrix-media-repo is an open-source multi-domain media repository for Matrix. Versions 1.2.6 and earlier of matrix-media-repo do not properly handle malicious images which are crafted to be small in file size, but large in complexity. A malicious user could upload a relatively small image in terms of file size, using particular image formats, which expands to have extremely large dimensions during the process of thumbnailing. The server can be exhausted of memory in the process of trying to load the whole image into memory for thumbnailing, leading to denial of service. Version 1.2.7 has a fix for the vulnerability.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://hub.docker.com/r/turt2live/matrix-media-repo/tags?page=1&ordering=last_updated Third Party Advisory
https://github.com/turt2live/matrix-media-repo/releases/tag/v1.2.7 Release Notes Third Party Advisory
https://github.com/turt2live/matrix-media-repo/security/advisories/GHSA-j889-h476-hh9h Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:matrix-media-repo_project:matrix-media-repo:*:*:*:*:*:*:*:*
Information

Published : 2021-04-19 07:15

Updated : 2022-08-03 10:18

NVD link : CVE-2021-29453

Mitre link : CVE-2021-29453

Products Affected
No products.
CWE
CWE-770