Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

URL deny list bypass via oEmbed and image URLs when generating previews

Low
erikjohnston published GHSA-98px-6486-j7qc Jun 6, 2023

Package

pip matrix-synapse (pip)

Affected versions

< 1.85.0

Patched versions

1.85.0

Description

Impact

A discovered oEmbed or image URL can bypass the url_preview_url_blacklist setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the url_preview_ip_range_blacklist setting (by default this only allows public IPs) and by the limited information returned to the client:

  • For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded.
  • For discovered image URLs, any non-image response is discarded.

Systems which have URL preview disabled (via the url_preview_enabled setting) or have not configured a url_preview_url_blacklist are not affected.

Because of the uncommon configuration required, the limited information a malicious user, and the amount of guesses/time the attack would need; the severity is rated as low.

Patches

The issue is fixed by #15601.

Workarounds

The default configuration of the url_preview_ip_range_blacklist should protect against requests being made to internal infrastructure, URL previews of public URLs is expected.

Alternately URL previews could be disabled using the url_preview_enabled setting.

Severity

Low

CVE ID

CVE-2023-32683

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.