CVE-2022-41952

Опубликовано: 22 нояб. 2022

Источник: nvd

CVSS3: 6.5

CVSS3: 5.3

EPSS Низкий

Описание

Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after max_spider_size (default: 10M) bytes have been downloaded, which can in some cases lead to long-lived connections towards the streaming media server (for instance, Icecast). This can cause excessive traffic and connections toward such servers if their stream URL is, for example, posted to a large room with many Synapse instances with URL preview enabled. Version 1.52.0 implements a timeout mechanism which will terminate URL preview connections after 30 seconds. Since generating URL previews for media streams is not supported and always fails, 1.53.0 additionally implements an allow list for content types for which Synapse will even attempt to generate a URL preview. Upgrade to 1.53.0 to fully resolve the issue. As a workaround, turn off URL preview functionality by setting `url_pre

Ссылки

https://github.com/matrix-org/synapse/pull/11784
Patch
Third Party Advisory
https://github.com/matrix-org/synapse/pull/11936
Patch
Third Party Advisory
https://github.com/matrix-org/synapse/releases/tag/v1.52.0
Release Notes
Third Party Advisory
https://github.com/matrix-org/synapse/releases/tag/v1.53.0
Release Notes
Third Party Advisory
https://github.com/matrix-org/synapse/security/advisories/GHSA-4822-jvwx-w47h
Mitigation
Third Party Advisory
https://github.com/matrix-org/synapse/pull/11784
Patch
Third Party Advisory
https://github.com/matrix-org/synapse/pull/11936
Patch
Third Party Advisory
https://github.com/matrix-org/synapse/releases/tag/v1.52.0
Release Notes
Third Party Advisory
https://github.com/matrix-org/synapse/releases/tag/v1.53.0
Release Notes
Third Party Advisory
https://github.com/matrix-org/synapse/security/advisories/GHSA-4822-jvwx-w47h
Mitigation
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*

Версия до 1.53.0 (исключая)

EPSS

Процентиль: 66%

0.00523

Низкий

6.5 Medium

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-400

CWE-772

Связанные уязвимости

CVE-2022-41952

CVSS3: 6.5

ubuntu

около 3 лет назад

Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after `max_spider_size` (default: 10M) bytes have been downloaded, which can in some cases lead to long-lived connections towards the streaming media server (for instance, Icecast). This can cause excessive traffic and connections toward such servers if their stream URL is, for example, posted to a large room with many Synapse instances with URL preview enabled. Version 1.52.0 implements a timeout mechanism which will terminate URL preview connections after 30 seconds. Since generating URL previews for media streams is not supported and always fails, 1.53.0 additionally implements an allow list for content types for which Synapse will even attempt to generate a URL preview. Upgrade to 1.53.0 to fully resolve the issue. As a workaround, turn off URL preview functionality by setting `url_...

CVE-2022-41952

CVSS3: 6.5

debian

около 3 лет назад

Synapse before 1.52.0 with URL preview functionality enabled will atte ...

GHSA-4822-jvwx-w47h

CVSS3: 5.3

github

почти 4 года назад

Uncontrolled Resource Consumption in Matrix Synapse

EPSS

Процентиль: 66%

0.00523

Низкий

6.5 Medium

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-400

CWE-772