Server-side Request Forgery (SSRF) Affecting matrix-synapse package, versions [,1.85.0rc1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-MATRIXSYNAPSE-5668919
- published 7 Jun 2023
- disclosed 6 Jun 2023
- credit Unknown
Introduced: 6 Jun 2023
CVE-2023-32683 Open this link in a new tabHow to fix?
Upgrade matrix-synapse
to version 1.85.0rc1 or higher.
Overview
matrix-synapse is an ecosystem for open federated Instant Messaging and VoIP.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) by bypassing the url_preview_url_blacklist
deny list with oEmbed or image URLs used in previews. An attacker can bypass the deny list by including an IP address that is allowed by the url_preview_ip_range_blacklist
setting (only public addresses by default). The information exposed by the client is limited by the following conditions:
For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded.
For discovered image URLs, any non-image response is discarded.
Workaround
This vulnerability can be worked around by disabling the url_preview_enabled
setting.