FreeBSD07C0D782-F758-11EC-ACAA-901B0E9408DCpy-matrix-synapse -- unbounded recursion in urlpreview
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
49.1%
Matrix developers report:
This release fixes a vulnerability with Synapse’s URL preview feature. URL previews
of some web pages can lead to unbounded recursion, causing the request to either fail,
or in some cases crash the running Synapse process.
Note that:
Homeservers with the url_preview_enabled configuration option set to false
(the default value) are unaffected.
Instances with the enable_media_repo configuration option set to false are
also unaffected, as this also disables the URL preview functionality.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| FreeBSD | any | noarch | py37-matrix-synapse | < 1.61.1 | UNKNOWN |
| FreeBSD | any | noarch | py38-matrix-synapse | < 1.61.1 | UNKNOWN |
| FreeBSD | any | noarch | py39-matrix-synapse | < 1.61.1 | UNKNOWN |
| FreeBSD | any | noarch | py310-matrix-synapse | < 1.61.1 | UNKNOWN |
| FreeBSD | any | noarch | py311-matrix-synapse | < 1.61.1 | UNKNOWN |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
49.1%