What is CVE-2023-32683?

CVE-2023-32683 is a vulnerability in Synapse, a Matrix protocol homeserver, that allows bypassing network policies and potentially enables server-side request forgery.

How can CVE-2023-32683 be exploited?

CVE-2023-32683 can be exploited by using a discovered oEmbed or image URL to bypass the 'url_preview_url_blacklist' setting in Synapse, potentially leading to server-side request forgery or bypassing network policies.

How can I fix CVE-2023-32683?

To fix CVE-2023-32683, update your Synapse installation to version 1.85.0 or above.

Where can I find more information about CVE-2023-32683?

You can find more information about CVE-2023-32683 in the GitHub pull request and security advisory, as well as the Fedora Project mailing list.

Vulnerability/
CVE-2023-32683

medium

5.4

CWE

863 918

6/6/2023

9/11/2023

CVE-2023-32683: SSRF

Q: What is the impact of CVE-2023-32683?

The impact of CVE-2023-32683 is limited to IP addresses allowed by the 'url_preview_url_blacklist' setting in Synapse.

First published: Tue Jun 06 2023(Updated: )

Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Matrix Synapse	<1.85.0
pip/matrix-synapse	<1.85.0	1.85.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-32683?
CVE-2023-32683 is a vulnerability in Synapse, a Matrix protocol homeserver, that allows bypassing network policies and potentially enables server-side request forgery.
What is the impact of CVE-2023-32683?
The impact of CVE-2023-32683 is limited to IP addresses allowed by the 'url_preview_url_blacklist' setting in Synapse.
How can CVE-2023-32683 be exploited?
CVE-2023-32683 can be exploited by using a discovered oEmbed or image URL to bypass the 'url_preview_url_blacklist' setting in Synapse, potentially leading to server-side request forgery or bypassing network policies.
How can I fix CVE-2023-32683?
To fix CVE-2023-32683, update your Synapse installation to version 1.85.0 or above.
Where can I find more information about CVE-2023-32683?
You can find more information about CVE-2023-32683 in the GitHub pull request and security advisory, as well as the Fedora Project mailing list.

collector/nvd-index
collector/github-advisory-latest
alias/GHSA-98px-6486-j7qc
alias/CVE-2023-32683
collector/nvd-cve
collector/github-advisory
vendor/matrix
canonical/matrix synapse
package-manager/pip

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.