pysec-2023-85
Vulnerability from pysec
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the url_preview_url_blacklist
setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the url_preview_ip_range_blacklist
setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the url_preview_enabled
setting) or have not configured a url_preview_url_blacklist
are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews.
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "matrix-synapse", "purl": "pkg:pypi/matrix-synapse" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.85.0" } ], "type": "ECOSYSTEM" } ], "versions": [ "0.33.5", "0.33.5.1", "0.33.6", "0.33.6rc1", "0.33.7", "0.33.7rc1", "0.33.7rc2", "0.33.8", "0.33.8rc2", "0.33.9", "0.34.0", "0.34.0.1", "0.34.0rc1", "0.34.0rc2", "0.34.1.1", "0.99.0", "0.99.0rc1", "0.99.0rc2", "0.99.0rc3", "0.99.0rc4", "0.99.1", "0.99.1.1", "0.99.1rc1", "0.99.1rc2", "0.99.2", "0.99.2rc1", "0.99.3", "0.99.3.1", "0.99.3.2", "0.99.3rc1", "0.99.4", "0.99.4rc1", "0.99.5", "0.99.5.1", "0.99.5.2", "0.99.5rc1", "1.0.0", "1.0.0rc1", "1.0.0rc2", "1.0.0rc3", "1.1.0", "1.1.0rc1", "1.1.0rc2", "1.10.0", "1.10.0rc1", "1.10.0rc2", "1.10.0rc3", "1.10.0rc5", "1.10.1", "1.11.0", "1.11.0rc1", "1.11.1", "1.12.0", "1.12.0rc1", "1.12.1", "1.12.1rc1", "1.12.2", "1.12.3", "1.12.4", "1.12.4rc1", "1.13.0", "1.13.0rc1", "1.13.0rc2", "1.13.0rc3", "1.14.0", "1.14.0rc1", "1.14.0rc2", "1.15.0", "1.15.0rc1", "1.15.1", "1.15.2", "1.16.0", "1.16.0rc1", "1.16.0rc2", "1.16.1", "1.17.0", "1.17.0rc1", "1.18.0", "1.18.0rc1", "1.18.0rc2", "1.19.0", "1.19.0rc1", "1.19.1", "1.19.1rc1", "1.19.2", "1.19.3", "1.2.0", "1.2.0rc1", "1.2.0rc2", "1.2.1", "1.20.0", "1.20.0rc1", "1.20.0rc2", "1.20.0rc3", "1.20.0rc4", "1.20.0rc5", "1.20.1", "1.21.0", "1.21.0rc1", "1.21.0rc2", "1.21.0rc3", "1.21.1", "1.21.2", "1.22.0", "1.22.0rc1", "1.22.0rc2", "1.22.1", "1.23.0", "1.23.0rc1", "1.23.1", "1.24.0", "1.24.0rc1", "1.24.0rc2", "1.25.0", "1.25.0rc1", "1.26.0", "1.26.0rc1", "1.26.0rc2", "1.27.0", "1.27.0rc1", "1.27.0rc2", "1.28.0", "1.28.0rc1", "1.29.0", "1.29.0rc1", "1.3.0", "1.3.0rc1", "1.3.1", "1.30.0", "1.30.0rc1", "1.30.1", "1.31.0", "1.31.0rc1", "1.32.0", "1.32.0rc1", "1.32.1", "1.32.2", "1.33.0", "1.33.0rc1", "1.33.0rc2", "1.33.1", "1.33.2", "1.34.0", "1.34.0rc1", "1.35.0", "1.35.0rc1", "1.35.0rc2", "1.35.0rc3", "1.35.1", "1.36.0", "1.36.0rc1", "1.36.0rc2", "1.37.0", "1.37.0rc1", "1.37.1", "1.37.1rc1", "1.38.0", "1.38.0rc1", "1.38.0rc2", "1.38.0rc3", "1.38.1", "1.39.0", "1.39.0rc1", "1.39.0rc2", "1.39.0rc3", "1.4.0", "1.4.0rc1", "1.4.0rc2", "1.4.1", "1.4.1rc1", "1.40.0", "1.40.0rc1", "1.40.0rc2", "1.40.0rc3", "1.41.0", "1.41.0rc1", "1.41.1", "1.42.0", "1.42.0rc1", "1.42.0rc2", "1.43.0", "1.43.0rc1", "1.43.0rc2", "1.44.0", "1.44.0rc1", "1.44.0rc2", "1.44.0rc3", "1.45.0", "1.45.0rc1", "1.45.0rc2", "1.45.1", "1.46.0", "1.46.0rc1", "1.47.0", "1.47.0rc1", "1.47.0rc2", "1.47.0rc3", "1.47.1", "1.48.0", "1.48.0rc1", "1.49.0", "1.49.0rc1", "1.49.2", "1.5.0", "1.5.0rc1", "1.5.0rc2", "1.5.1", "1.50.0", "1.50.0rc1", "1.50.0rc2", "1.50.1", "1.50.2", "1.51.0", "1.51.0rc1", "1.51.0rc2", "1.52.0", "1.52.0rc1", "1.53.0", "1.53.0rc1", "1.54.0", "1.54.0rc1", "1.55.0", "1.55.0rc1", "1.55.1", "1.55.2", "1.56.0", "1.56.0rc1", "1.57.0", "1.57.0rc1", "1.57.1", "1.58.0", "1.58.0rc2", "1.58.1", "1.59.0", "1.59.0rc1", "1.59.0rc2", "1.59.1", "1.6.0", "1.6.0rc1", "1.6.0rc2", "1.6.1", "1.60.0", "1.60.0rc1", "1.60.0rc2", "1.61.0", "1.61.0rc1", "1.61.1", "1.62.0", "1.62.0rc1", "1.62.0rc2", "1.62.0rc3", "1.63.0", "1.63.0rc1", "1.63.1", "1.64.0", "1.64.0rc1", "1.64.0rc2", "1.65.0", "1.65.0rc1", "1.65.0rc2", "1.66.0", "1.66.0rc1", "1.66.0rc2", "1.67.0", "1.67.0rc1", "1.68.0", "1.68.0rc1", "1.68.0rc2", "1.69.0", "1.69.0rc1", "1.69.0rc2", "1.69.0rc4", "1.7.0", "1.7.0rc1", "1.7.0rc2", "1.7.1", "1.7.2", "1.7.3", "1.70.0", "1.70.0rc1", "1.70.0rc2", "1.70.1", "1.71.0", "1.71.0rc1", "1.71.0rc2", "1.72.0", "1.72.0rc1", "1.73.0", "1.73.0rc2", "1.74.0", "1.74.0rc1", "1.75.0", "1.75.0rc1", "1.75.0rc2", "1.76.0", "1.76.0rc1", "1.76.0rc2", "1.77.0", "1.77.0rc1", "1.77.0rc2", "1.78.0", "1.78.0rc1", "1.79.0", "1.79.0rc1", "1.79.0rc2", "1.8.0", "1.8.0rc1", "1.80.0", "1.80.0rc1", "1.80.0rc2", "1.81.0", "1.81.0rc1", "1.81.0rc2", "1.82.0", "1.82.0rc1", "1.83.0", "1.83.0rc1", "1.84.0", "1.84.0rc1", "1.84.1", "1.85.0rc1", "1.85.0rc2", "1.9.0", "1.9.0.dev1", "1.9.0.dev2", "1.9.0rc1", "1.9.1" ] } ], "aliases": [ "CVE-2023-32683", "GHSA-98px-6486-j7qc" ], "details": "Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews.", "id": "PYSEC-2023-85", "modified": "2023-06-13T20:24:13.764030Z", "published": "2023-06-06T19:15:00Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc" }, { "type": "FIX", "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc" }, { "type": "FIX", "url": "https://github.com/matrix-org/synapse/pull/15601" } ] }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.