CVE-2023-32683

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.85.0

Description A discovered oEmbed or image URL can bypass the url preview url blacklist setting, potentially allowing server-side request forgery or bypassing network policies. The impact is limited to IP addresses allowed by the url preview ip range blacklist setting and by the limited information returned to the client. For discovered oEmbed URLs, any non-JSON response or a JSON response that includes non-oEmbed information is discarded. For discovered image URLs, any non-image response is discarded. Systems with URL preview disabled or without a configured url preview url blacklist are not affected.

Recommendations For versions prior to 1.85.0, upgrade to version 1.85.0 to resolve the issue. As a temporary workaround, consider disabling URL previews by setting url preview enabled to False until a patch is available. Restrict access to the url preview ip range blacklist setting to minimize the risk of exploitation. Avoid using the url preview url blacklist setting in configurations where it may be bypassed until the issue is resolved.