Allocation of Resources Without Limits or Throttling Affecting matrix-synapse package, versions [,1.53.0)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-MATRIXSYNAPSE-5415005
- published 6 Apr 2023
- disclosed 6 Apr 2023
- credit Unknown
Introduced: 6 Apr 2023
CVE-2022-41952 Open this link in a new tabHow to fix?
Upgrade matrix-synapse
to version 1.53.0 or higher.
Overview
matrix-synapse is an ecosystem for open federated Instant Messaging and VoIP.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling such that connections will only be terminated after max_spider_size
(default: 10M) bytes have been downloaded, which can in some cases lead to long-lived connections towards the streaming media server (for instance, Icecast).
Workaround
Users can turn off URL preview functionality by setting url_preview_enabled: false
in the Synapse configuration file.