5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
56.2%
Synapse before 1.52.0 with URL preview functionality enabled will attempt
to generate URL previews for media stream URLs without properly limiting
connection time. Connections will only be terminated after
max_spider_size
(default: 10M) bytes have been downloaded, which can in
some cases lead to long-lived connections towards the streaming media
server (for instance, Icecast). This can cause excessive traffic and
connections toward such servers if their stream URL is, for example, posted
to a large room with many Synapse instances with URL preview enabled.
Version 1.52.0 implements a timeout mechanism which will terminate URL
preview connections after 30 seconds. Since generating URL previews for
media streams is not supported and always fails, 1.53.0 additionally
implements an allow list for content types for which Synapse will even
attempt to generate a URL preview. Upgrade to 1.53.0 to fully resolve the
issue. As a workaround, turn off URL preview functionality by setting
url_preview_enabled: false
in the Synapse configuration file.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | matrix-synapse | < any | UNKNOWN |
ubuntu | 20.04 | noarch | matrix-synapse | < any | UNKNOWN |
github.com/matrix-org/synapse/pull/11784
github.com/matrix-org/synapse/pull/11936
github.com/matrix-org/synapse/releases/tag/v1.52.0
github.com/matrix-org/synapse/releases/tag/v1.53.0
github.com/matrix-org/synapse/security/advisories/GHSA-4822-jvwx-w47h
launchpad.net/bugs/cve/CVE-2022-41952
nvd.nist.gov/vuln/detail/CVE-2022-41952
security-tracker.debian.org/tracker/CVE-2022-41952
www.cve.org/CVERecord?id=CVE-2022-41952
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
56.2%