Miggo Logo

CVE-2021-21394: Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.6583%
Published
4/13/2021
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
matrix-synapsepip< 1.28.01.28.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input validation on third-party identifier endpoints. Patches #9321 and #9393 added length checks for parameters like 'client_secret' and other inputs. The affected endpoints (/register/email, /register/msisdn, /account/password, /account/3pid) correspond to handler functions in registration and account management modules. These functions processed untrusted parameters without size validation, allowing attackers to submit oversized values that exhaust resources. The confidence is high because the patches explicitly target these endpoints, and the CVE description directly implicates the parameter validation logic in these flows.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Missin* input v*li**tion o* som* p*r*m*t*rs on t** *n*points us** to *on*irm t*ir*-p*rty i**nti*i*rs *oul* **us* *x**ssiv* us* o* *isk sp*** *n* m*mory l***in* to r*sour** *x**ustion. ### P*t***s T** issu* is *ix** *y #****. ### Work*rou

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion on t*ir*-p*rty i**nti*i*r *n*points. P*t***s #**** *n* #**** ***** l*n*t* ****ks *or p*r*m*t*rs lik* '*li*nt_s**r*t' *n* ot**r inputs. T** *****t** *n*points (`/r**ist*r/*m*il`, `/r**ist*r/msis*n`