CVE-2023-32683
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-32683
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-32683.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-32683
- Aliases
- Related
- Published
- 2023-06-06T19:15:11Z
- Modified
- 2024-10-16T17:50:44.720397Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the
url_preview_url_blacklistsetting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by theurl_preview_ip_range_blacklistsetting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via theurl_preview_enabledsetting) or have not configured aurl_preview_url_blacklistare not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews. - References
-
- https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc
- https://github.com/matrix-org/synapse/pull/15601
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/
- https://security-tracker.debian.org/tracker/CVE-2023-32683
Affected packages
Debian:13 / matrix-synapse
Package
- Name
- matrix-synapse
- Purl
- pkg:deb/debian/matrix-synapse?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.90.0-1
Affected versions
0.*
0.19.2+dfsg-3
0.19.2+dfsg-4
0.19.2+dfsg-5
0.19.2+dfsg-6
0.24.0+dfsg-1
0.27.2+dfsg-1
0.28.0+dfsg-1
0.28.0+dfsg-2
0.28.1+dfsg-1
0.29.1+dfsg-1
0.30.0+dfsg-1
0.31.0+dfsg-1
0.31.0+dfsg-2
0.31.1+dfsg-1
0.31.1+dfsg-2
0.31.2+dfsg-1
0.32.2+dfsg-1
0.33.0+dfsg-1
0.33.1+dfsg-1
0.33.2+dfsg-1
0.33.2+dfsg-2
0.33.2+dfsg-3
0.33.3-1
0.33.3-2
0.33.3.1-1
0.33.4-1~bpo9+1
0.33.4-1
0.33.8-1
0.33.9-2~bpo9+1
0.33.9-2
0.34.0~rc2-1
0.34.0-1
0.34.0-2
0.34.0-3~bpo9+1
0.34.0-3~bpo9+2
0.34.0-3
0.34.1.1-1
0.34.1.1-2~bpo9+1
0.34.1.1-2
0.34.1.1-3~bpo9+1
0.34.1.1-3~bpo9+2
0.34.1.1-3
0.34.1.1-4
0.99.0-1~bpo9+1
0.99.0-1~bpo9+2
0.99.0-1~bpo9+3
0.99.0-1
0.99.1.1-1
0.99.2-1~bpo9+1
0.99.2-1~bpo9+2
0.99.2-1
0.99.2-2
0.99.2-3
0.99.2-4
0.99.2-5~bpo9+1
0.99.2-5
0.99.2-6
0.99.3.2-1
0.99.5.1-1
0.99.5.2-1
1.*
1.0.0-1
1.0.0-2~bpo10+1
1.0.0-2
1.1.0-1
1.2.1-1~bpo10+1
1.2.1-1~bpo10+2
1.2.1-1
1.2.1-2
1.3.0-1~bpo10+1
1.3.0-1
1.4.0~rc1-1
1.4.0-1
1.5.0~rc1-1
1.5.0-1
1.5.1-1~bpo10+1
1.5.1-1
1.6.0-1
1.6.1-1~bpo10+1
1.6.1-1
1.7.0-1
1.7.0-2
1.7.1-1
1.7.2-1~bpo10+1
1.7.2-1
1.7.3-1~bpo10+1
1.7.3-1
1.8.0-1
1.9.0-1~bpo10+1
1.9.0-1
1.9.1-1~bpo10+1
1.9.1-1
1.10.0-1
1.10.0-2
1.11.0-1
1.11.1-1~bpo10+1
1.11.1-1
1.12.0-1~bpo10+1
1.12.0-1
1.12.3-1~bpo10+1
1.12.3-1
1.12.4-1~bpo10+1
1.12.4-1
1.13.0-1~bpo10+1
1.13.0-1
1.15.0-1
1.15.1-1~bpo10+1
1.15.1-1~bpo10+2
1.15.1-1
1.15.2-1
1.16.0-1
1.17.0-1~bpo10+1
1.17.0-1
1.18.0-1~bpo10+1
1.18.0-1
1.19.0-1~bpo10+1
1.19.0-1
1.19.1-1~bpo10+1
1.19.1-1~bpo10+2
1.19.1-1~bpo10+3
1.19.1-1
1.19.2-1
1.19.3-1
1.20.0-1
1.20.1-1~bpo10+1
1.20.1-1
1.21.1-1
1.21.2-1~bpo10+1
1.21.2-1
1.22.1-1~bpo10+1
1.22.1-1
1.22.1-2~bpo10+1
1.22.1-2
1.23.0-1~bpo10+1
1.23.0-1
1.24.0-1~bpo10+1
1.24.0-1
1.24.0-2
1.25.0-1~bpo10+1
1.25.0-1
1.25.0-2
1.26.0-1~bpo10+1
1.26.0-1~bpo10+2
1.26.0-1~bpo10+3
1.26.0-1
1.26.0-2
1.26.0-3
1.27.0-1~bpo10+1
1.27.0-1~bpo10+2
1.27.0-1~bpo10+3
1.27.0-1
1.28.0-1~bpo10+1
1.28.0-1~bpo10+2
1.28.0-1
1.29.0-1
1.30.0-1
1.31.0-1
1.31.0-2
1.33.2-1
1.34.0-1
1.35.0-1
1.35.1-1
1.36.0-1
1.37.0-1
1.37.1-1
1.38.0-1
1.38.1-1
1.39.0-1
1.40.0-1~bpo10+1
1.40.0-1~bpo11+1
1.40.0-1
1.41.1-1~bpo10+1
1.41.1-1~bpo11+1
1.41.1-1
1.42.0-1~bpo10+1
1.42.0-1~bpo11+1
1.42.0-1
1.43.0-1~bpo10+1
1.43.0-1~bpo11+1
1.43.0-1
1.44.0-1~bpo10+1
1.44.0-1~bpo11+1
1.44.0-1
1.44.0-2
1.45.0-1
1.45.1-1~bpo10+1
1.45.1-1~bpo11+1
1.45.1-1
1.46.0-1~bpo10+1
1.46.0-1~bpo10+2
1.46.0-1~bpo11+1
1.46.0-1~bpo11+2
1.46.0-1~bpo11+3
1.46.0-1
1.47.0-1
1.47.0-2~bpo10+1
1.47.0-2~bpo11+1
1.47.0-2
1.47.1-1~bpo10+1
1.47.1-1~bpo11+1
1.47.1-1
1.48.0-1~bpo10+1
1.48.0-1~bpo11+1
1.48.0-1
1.49.0-1~bpo10+1
1.49.0-1~bpo10+2
1.49.0-1~bpo10+4
1.49.0-1~bpo11+1
1.49.0-1~bpo11+2
1.49.0-1~bpo11+3
1.49.0-1
1.49.2-1
1.50.0-1
1.50.1-1
1.50.2-1
1.51.0-1~bpo10+1
1.51.0-1~bpo10+2
1.51.0-1~bpo10+3
1.51.0-1~bpo11+1
1.51.0-1~bpo11+2
1.51.0-1
1.52.0-1~bpo10+1
1.52.0-1~bpo11+1
1.52.0-1
1.53.0-1~bpo11+1
1.53.0-1
1.55.0-1~bpo11+1
1.55.0-1
1.55.0-2
1.56.0-1
1.57.1-1~bpo11+1
1.57.1-1
1.59.1-1
1.59.1-2~bpo11+1
1.59.1-2
1.61.0-1~bpo11+1
1.61.0-1~bpo11+2
1.61.0-1~bpo11+3
1.61.0-1
1.61.0-2
1.61.0-3
1.61.1-1
1.63.0-1~bpo11+1
1.63.0-1
1.64.0-1
1.64.0-2
1.64.0-3
1.65.0-1
1.66.0-1~bpo11+1
1.66.0-1
1.66.0-2
1.68.0-1~bpo11+1
1.68.0-1
1.69.0-1~bpo11+1
1.69.0-1
1.70.1-1~bpo11+1
1.70.1-1
1.71.0-1
1.71.0-2~bpo11+1
1.71.0-2
1.72.0-1~bpo11+1
1.72.0-1
1.73.0-1~bpo11+1
1.73.0-1
1.74.0-1~bpo11+1
1.74.0-1~bpo11+2
1.74.0-1
1.77.0-1
1.78.0-1~bpo11+1
1.78.0-1