Vulnerability Description
Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after `max_spider_size` (default: 10M) bytes have been downloaded, which can in some cases lead to long-lived connections towards the streaming media server (for instance, Icecast). This can cause excessive traffic and connections toward such servers if their stream URL is, for example, posted to a large room with many Synapse instances with URL preview enabled. Version 1.52.0 implements a timeout mechanism which will terminate URL preview connections after 30 seconds. Since generating URL previews for media streams is not supported and always fails, 1.53.0 additionally implements an allow list for content types for which Synapse will even attempt to generate a URL preview. Upgrade to 1.53.0 to fully resolve the issue. As a workaround, turn off URL preview functionality by setting `url_preview_enabled: false` in the Synapse configuration file.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Matrix | Synapse | < 1.53.0 |
Related Weaknesses (CWE)
References
- https://github.com/matrix-org/synapse/pull/11784PatchThird Party Advisory
- https://github.com/matrix-org/synapse/pull/11936PatchThird Party Advisory
- https://github.com/matrix-org/synapse/releases/tag/v1.52.0Release NotesThird Party Advisory
- https://github.com/matrix-org/synapse/releases/tag/v1.53.0Release NotesThird Party Advisory
- https://github.com/matrix-org/synapse/security/advisories/GHSA-4822-jvwx-w47hMitigationThird Party Advisory
- https://github.com/matrix-org/synapse/pull/11784PatchThird Party Advisory
- https://github.com/matrix-org/synapse/pull/11936PatchThird Party Advisory
- https://github.com/matrix-org/synapse/releases/tag/v1.52.0Release NotesThird Party Advisory
- https://github.com/matrix-org/synapse/releases/tag/v1.53.0Release NotesThird Party Advisory
- https://github.com/matrix-org/synapse/security/advisories/GHSA-4822-jvwx-w47hMitigationThird Party Advisory
FAQ
What is CVE-2022-41952?
CVE-2022-41952 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated ...
How severe is CVE-2022-41952?
CVE-2022-41952 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-41952?
Check the references section above for vendor advisories and patch information. Affected products include: Matrix Synapse.