CVE-2022-31052

URL previews can crash Synapse media repositories or Synapse monoliths

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether. It is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for. Remote users are not able to exploit this directly, because the URL preview endpoint is authenticated. Deployments with `url_preview_enabled: false` set in configuration are not affected. Deployments with `url_preview_enabled: true` set in configuration **are** affected. Deployments with no configuration value set for `url_preview_enabled` are not affected, because the default is `false`. Administrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher. Users unable to upgrade should set `url_preview_enabled` to false.

Synapse es una implementación de servidor doméstico de código abierto para la red de chat Matrix. En versiones anteriores a 1.61.1, las previsualizaciones de URL de algunas páginas web pueden agotar el espacio de pila disponible para el proceso de Synapse debido a una recursión sin límites. Esto a veces es recuperable y conlleva a un error para la petición que causa el problema, pero en otros casos el proceso de Synapse puede bloquearse por completo. Es posible explotar esto de forma maliciosa, ya sea por usuarios maliciosos en el servidor doméstico, o por usuarios remotos que envían URLs para las que el cliente de un usuario local puede solicitar automáticamente una visualización previa de la URL. Los usuarios remotos no son capaces de explotar esto directamente, porque el endpoint de la visualización previa de la URL está autenticado. Los despliegues con "url_preview_enabled: false" establecidos en la configuración no están afectados. Los despliegues con "url_preview_enabled: true" establecido en la configuración **están** afectados. Los despliegues sin valor de configuración para "url_preview_enabled" no están afectados, porque el valor por defecto es "false". Es recomendado a administradores de servidores domésticos con visualizaciones previas de URL habilitadas que actualicen a versión v1.61.1 o superior. Los usuarios que no puedan actualizarse deben establecer "url_preview_enabled" en false

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-06-28 CVE Published
2024-01-19 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-674: Uncontrolled Recursion

CAPEC

References (5)

URL	Tag	Source
https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD	2023-11-07
https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Matrix Search vendor "Matrix"		Synapse Search vendor "Matrix" for product "Synapse"				< 1.61.1 Search vendor "Matrix" for product "Synapse" and version " < 1.61.1"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected