First published: Tue Jun 06 2023(Updated: )
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Matrix Synapse | <1.85.0 | |
pip/matrix-synapse | <1.85.0 | 1.85.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-32683 is a vulnerability in Synapse, a Matrix protocol homeserver, that allows bypassing network policies and potentially enables server-side request forgery.
The impact of CVE-2023-32683 is limited to IP addresses allowed by the 'url_preview_url_blacklist' setting in Synapse.
CVE-2023-32683 can be exploited by using a discovered oEmbed or image URL to bypass the 'url_preview_url_blacklist' setting in Synapse, potentially leading to server-side request forgery or bypassing network policies.
To fix CVE-2023-32683, update your Synapse installation to version 1.85.0 or above.
You can find more information about CVE-2023-32683 in the GitHub pull request and security advisory, as well as the Fedora Project mailing list.