GHSA-98px-6486-j7qc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-98px-6486-j7qc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-98px-6486-j7qc/GHSA-98px-6486-j7qc.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-98px-6486-j7qc
- Aliases
- Published
- 2023-06-06T16:41:34Z
- Modified
- 2024-09-30T21:21:30.277780Z
- Severity
-
- 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Synapse has URL deny list bypass via oEmbed and image URLs when generating previews
- Details
-
Impact
A discovered oEmbed or image URL can bypass the
url_preview_url_blacklistsetting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by theurl_preview_ip_range_blacklistsetting (by default this only allows public IPs) and by the limited information returned to the client:- For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded.
- For discovered image URLs, any non-image response is discarded.
Systems which have URL preview disabled (via the
url_preview_enabledsetting) or have not configured aurl_preview_url_blacklistare not affected.Because of the uncommon configuration required, the limited information a malicious user, and the amount of guesses/time the attack would need; the severity is rated as low.
Patches
The issue is fixed by #15601.
Workarounds
The default configuration of the
url_preview_ip_range_blacklistshould protect against requests being made to internal infrastructure, URL previews of public URLs is expected.Alternately URL previews could be disabled using the
url_preview_enabledsetting. - Database specific
{ "nvd_published_at": "2023-06-06T19:15:11Z", "cwe_ids": [ "CWE-863", "CWE-918" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-06-06T16:41:34Z" }- References
-
- https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc
- https://nvd.nist.gov/vuln/detail/CVE-2023-32683
- https://github.com/matrix-org/synapse/pull/15601
- https://github.com/matrix-org/synapse
- https://github.com/matrix-org/synapse/releases/tag/v1.85.0
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-85.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2
Affected packages
PyPI / matrix-synapse
Package
- Name
- matrix-synapse
- View open source insights on deps.dev
- Purl
- pkg:pypi/matrix-synapse
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.85.0
Affected versions
0.*
0.33.5
0.33.5.1
0.33.6rc1
0.33.6
0.33.7rc1
0.33.7rc2
0.33.7
0.33.8rc2
0.33.8
0.33.9
0.34.0rc1
0.34.0rc2
0.34.0
0.34.0.1
0.34.1.1
0.99.0rc1
0.99.0rc2
0.99.0rc3
0.99.0rc4
0.99.0
0.99.1rc1
0.99.1rc2
0.99.1
0.99.1.1
0.99.2rc1
0.99.2
0.99.3rc1
0.99.3
0.99.3.1
0.99.3.2
0.99.4rc1
0.99.4
0.99.5rc1
0.99.5
0.99.5.1
0.99.5.2
1.*
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.1.0rc1
1.1.0rc2
1.1.0
1.2.0rc1
1.2.0rc2
1.2.0
1.2.1
1.3.0rc1
1.3.0
1.3.1
1.4.0rc1
1.4.0rc2
1.4.0
1.4.1rc1
1.4.1
1.5.0rc1
1.5.0rc2
1.5.0
1.5.1
1.6.0rc1
1.6.0rc2
1.6.0
1.6.1
1.7.0rc1
1.7.0rc2
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0rc1
1.8.0
1.9.0.dev1
1.9.0.dev2
1.9.0rc1
1.9.0
1.9.1
1.10.0rc1
1.10.0rc2
1.10.0rc3
1.10.0rc5
1.10.0
1.10.1
1.11.0rc1
1.11.0
1.11.1
1.12.0rc1
1.12.0
1.12.1rc1
1.12.1
1.12.2
1.12.3
1.12.4rc1
1.12.4
1.13.0rc1
1.13.0rc2
1.13.0rc3
1.13.0
1.14.0rc1
1.14.0rc2
1.14.0
1.15.0rc1
1.15.0
1.15.1
1.15.2
1.16.0rc1
1.16.0rc2
1.16.0
1.16.1
1.17.0rc1
1.17.0
1.18.0rc1
1.18.0rc2
1.18.0
1.19.0rc1
1.19.0
1.19.1rc1
1.19.1
1.19.2
1.19.3
1.20.0rc1
1.20.0rc2
1.20.0rc3
1.20.0rc4
1.20.0rc5
1.20.0
1.20.1
1.21.0rc1
1.21.0rc2
1.21.0rc3
1.21.0
1.21.1
1.21.2
1.22.0rc1
1.22.0rc2
1.22.0
1.22.1
1.23.0rc1
1.23.0
1.23.1
1.24.0rc1
1.24.0rc2
1.24.0
1.25.0rc1
1.25.0
1.26.0rc1
1.26.0rc2
1.26.0
1.27.0rc1
1.27.0rc2
1.27.0
1.28.0rc1
1.28.0
1.29.0rc1
1.29.0
1.30.0rc1
1.30.0
1.30.1
1.31.0rc1
1.31.0
1.32.0rc1
1.32.0
1.32.1
1.32.2
1.33.0rc1
1.33.0rc2
1.33.0
1.33.1
1.33.2
1.34.0rc1
1.34.0
1.35.0rc1
1.35.0rc2
1.35.0rc3
1.35.0
1.35.1
1.36.0rc1
1.36.0rc2
1.36.0
1.37.0rc1
1.37.0
1.37.1rc1
1.37.1
1.38.0rc1
1.38.0rc2
1.38.0rc3
1.38.0
1.38.1
1.39.0rc1
1.39.0rc2
1.39.0rc3
1.39.0
1.40.0rc1
1.40.0rc2
1.40.0rc3
1.40.0
1.41.0rc1
1.41.0
1.41.1
1.42.0rc1
1.42.0rc2
1.42.0
1.43.0rc1
1.43.0rc2
1.43.0
1.44.0rc1
1.44.0rc2
1.44.0rc3
1.44.0
1.45.0rc1
1.45.0rc2
1.45.0
1.45.1
1.46.0rc1
1.46.0
1.47.0rc1
1.47.0rc2
1.47.0rc3
1.47.0
1.47.1
1.48.0rc1
1.48.0
1.49.0rc1
1.49.0
1.49.2
1.50.0rc1
1.50.0rc2
1.50.0
1.50.1
1.50.2
1.51.0rc1
1.51.0rc2
1.51.0
1.52.0rc1
1.52.0
1.53.0rc1
1.53.0
1.54.0rc1
1.54.0
1.55.0rc1
1.55.0
1.55.1
1.55.2
1.56.0rc1
1.56.0
1.57.0rc1
1.57.0
1.57.1
1.58.0rc2
1.58.0
1.58.1
1.59.0rc1
1.59.0rc2
1.59.0
1.59.1
1.60.0rc1
1.60.0rc2
1.60.0
1.61.0rc1
1.61.0
1.61.1
1.62.0rc1
1.62.0rc2
1.62.0rc3
1.62.0
1.63.0rc1
1.63.0
1.63.1
1.64.0rc1
1.64.0rc2
1.64.0
1.65.0rc1
1.65.0rc2
1.65.0
1.66.0rc1
1.66.0rc2
1.66.0
1.67.0rc1
1.67.0
1.68.0rc1
1.68.0rc2
1.68.0
1.69.0rc1
1.69.0rc2
1.69.0rc4
1.69.0
1.70.0rc1
1.70.0rc2
1.70.0
1.70.1
1.71.0rc1
1.71.0rc2
1.71.0
1.72.0rc1
1.72.0
1.73.0rc2
1.73.0
1.74.0rc1
1.74.0
1.75.0rc1
1.75.0rc2
1.75.0
1.76.0rc1
1.76.0rc2
1.76.0
1.77.0rc1
1.77.0rc2
1.77.0
1.78.0rc1
1.78.0
1.79.0rc1
1.79.0rc2
1.79.0
1.80.0rc1
1.80.0rc2
1.80.0
1.81.0rc1
1.81.0rc2
1.81.0
1.82.0rc1
1.82.0
1.83.0rc1
1.83.0
1.84.0rc1
1.84.0
1.84.1
1.85.0rc1
1.85.0rc2