// For flags

CVE-2022-41952

Uncontrolled Resource Consumption in Matrix Synapse

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after `max_spider_size` (default: 10M) bytes have been downloaded, which can in some cases lead to long-lived connections towards the streaming media server (for instance, Icecast). This can cause excessive traffic and connections toward such servers if their stream URL is, for example, posted to a large room with many Synapse instances with URL preview enabled. Version 1.52.0 implements a timeout mechanism which will terminate URL preview connections after 30 seconds. Since generating URL previews for media streams is not supported and always fails, 1.53.0 additionally implements an allow list for content types for which Synapse will even attempt to generate a URL preview. Upgrade to 1.53.0 to fully resolve the issue. As a workaround, turn off URL preview functionality by setting `url_preview_enabled: false` in the Synapse configuration file.

Synapse anterior a 1.52.0 con la función de vista previa de URL habilitada intentará generar vistas previas de URL para las URL de transmisión de medios sin limitar adecuadamente el tiempo de conexión. Las conexiones solo finalizarán después de que se hayan descargado `max_spider_size` (predeterminado: 10 M), lo que en algunos casos puede llevar a conexiones de larga duración hacia el servidor de transmisión de medios (por ejemplo, Icecast). Esto puede causar tráfico y conexiones excesivos hacia dichos servidores si su URL de transmisión se publica, por ejemplo, en una sala grande con muchas instancias de Synapse con la vista previa de URL habilitada. La versión 1.52.0 implementa un mecanismo de tiempo de espera que finalizará las conexiones de vista previa de URL después de 30 segundos. Dado que no se admite la generación de vistas previas de URL para transmisiones multimedia y siempre falla, 1.53.0 implementa adicionalmente una lista de permitidos para tipos de contenido para los cuales Synapse incluso intentará generar una vista previa de URL. Actualice a 1.53.0 para resolver completamente el problema. Como workaround, desactive la función de vista previa de URL configurando `url_preview_enabled: false` en el archivo de configuración de Synapse.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-09-30 CVE Reserved
  • 2022-11-22 CVE Published
  • 2024-06-14 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-400: Uncontrolled Resource Consumption
  • CWE-772: Missing Release of Resource after Effective Lifetime
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Matrix
Search vendor "Matrix"
 Synapse
Search vendor "Matrix" for product "Synapse"
 < 1.53.0
Search vendor "Matrix" for product "Synapse" and version " < 1.53.0"
-
Affected