CVE-2023-32683
- Source
- https://cve.org/CVERecord?id=CVE-2023-32683
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32683.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-32683
- Aliases
- Downstream
- Related
- Published
- 2023-06-06T18:24:30.457Z
- Modified
- 2026-04-02T09:00:26.963481Z
- Severity
-
- 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- URL deny list bypass via oEmbed and image URLs when generating previews in Synapse
- Details
-
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the
url_preview_url_blacklistsetting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by theurl_preview_ip_range_blacklistsetting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via theurl_preview_enabledsetting) or have not configured aurl_preview_url_blacklistare not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32683.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-863" ] }- References
-
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32683.json
- https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc
- https://nvd.nist.gov/vuln/detail/CVE-2023-32683
- https://github.com/matrix-org/synapse/pull/15601
Affected packages
Git / github.com/matrix-org/synapse
Affected ranges
- Type
- GIT
- Repo
- https://github.com/matrix-org/synapse
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.34.0rc2
1.*
1.7.2
Other
2017-02-27
2017-02-27-before
2017-04-05_before-tcp
2017-05-18_1004
2017-05-22_1657
2017-05-23_1048
2017-06-06_1141
alpha
dinsic_2018-07-20
dinsic_2018-07-20_1
dinsic_2018-10-15
dinsic_2018-12-19
dinsic_2019-01-11
dinsic_2019-01-15
dinsic_2019-01-21
dinsic_2019-01-28
dinsic_2019-02-19-beta11
dinsic_2019-02-22-beta12
dinsic_2019-02-22-beta13
dinsic_2019-02-22-beta14
dinsic_2019-02-26
dinsic_2019-03-06
dinsic_2019-03-15
dinsic_2019-03-20
dinsic_2019-03-21
dinsic_2019-04-04
dinsic_2019-04-04_1
dinsic_2019-04-04_2
dinsic_2019-04-05
dinsic_2019-05-09
dinsic_2019-05-14
dinsic_2019-05-17
dinsic_2019-05-31
dinsic_2019-06-04
dinsic_2019-06-10
dinsic_2019-06-10_2
dinsic_2019-06-10_3
dinsic_2019-06-19
dinsic_2019-06-24
dinsic_2019-06-27
dinsic_2019-06-27_1
dinsic_2019-06-28
dinsic_2019-07-04
dinsic_2019-07-09
dinsic_2019-07-18
dinsic_2019-07-31
dinsic_2019-08-08
dinsic_2019-08-12
dinsic_2019-08-29
dinsic_2019-08-30
dinsic_2020-02-10
hhs-1
hhs-2
hhs-3
hhs-4
hhs-5
hhs-6
hhs-7
hhs-8
hhs-9
saml2_auth/181207
modular-dev-v1.*
modular-dev-v1.3.2-alpha.1+modular
modular-dev-v1.3.2-alpha.2+modular
modular-dev-v1.3.2-alpha.3+modular
modular-dev-v1.3.2-alpha.4+modular
modular-dev-v1.3.2-alpha.5+modular
shhs-v1.*
shhs-v1.0
shhs-v1.1
shhs-v1.1.1
shhs-v1.1.1.6-opt
shhs-v1.1.1.7-opt
shhs-v1.2
shhs-v1.2.0.1
shhs-v1.2.0.2
shhs-v1.2.1
shhs-v1.2.1.1
shhs-v1.2.1.2
v0.*
v0.0.0
v0.0.1
v0.1
v0.1.0
v0.1.1
v0.1.2
v0.10.0
v0.10.0-r1
v0.10.0-r2
v0.10.0-rc1
v0.10.0-rc2
v0.10.0-rc3
v0.10.0-rc4
v0.10.0-rc5
v0.10.0-rc6
v0.10.1-rc1
v0.11.0
v0.11.0-r1
v0.11.0-r2
v0.11.0-rc1
v0.11.0-rc2
v0.11.1
v0.12.0
v0.12.0-rc1
v0.12.0-rc2
v0.12.0-rc3
v0.12.1-rc1
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc1
v0.14.0-rc2
v0.15.0-rc1
v0.16.0
v0.16.0-rc1
v0.16.0-rc2
v0.16.1
v0.16.1-r1
v0.16.1-rc1
v0.17.0
v0.17.0-rc1
v0.17.0-rc2
v0.17.0-rc3
v0.17.0-rc4
v0.17.1
v0.17.1-rc1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.18.0
v0.18.0-rc1
v0.18.1
v0.18.1-rc1
v0.18.2
v0.18.2-rc1
v0.18.2-rc2
v0.18.2-rc3
v0.18.2-rc4
v0.18.2-rc5
v0.18.3
v0.18.4
v0.18.4-rc1
v0.18.5
v0.18.5-rc1
v0.18.5-rc2
v0.18.5-rc3
v0.18.6
v0.18.6-rc1
v0.18.6-rc2
v0.18.6-rc3
v0.18.7
v0.18.7-rc1
v0.18.7-rc2
v0.19.0
v0.19.0-rc1
v0.19.0-rc2
v0.19.0-rc3
v0.19.0-rc4
v0.19.1
v0.19.2
v0.19.3
v0.19.3-rc1
v0.19.3-rc2
v0.2.0
v0.2.1
v0.2.1a
v0.2.2
v0.2.3
v0.20.0
v0.20.0-rc1
v0.21.0
v0.21.0-rc1
v0.21.0-rc2
v0.21.0-rc3
v0.21.1
v0.22.0
v0.22.0-rc1
v0.22.0-rc2
v0.22.1
v0.23.0
v0.23.0-rc1
v0.23.0-rc2
v0.23.1
v0.24.0
v0.24.0-rc1
v0.24.1
v0.25.0
v0.25.0-rc1
v0.25.1
v0.26.0
v0.26.0-rc1
v0.26.1
v0.27.0
v0.27.0-rc1
v0.27.0-rc2
v0.27.1
v0.27.2
v0.27.3
v0.27.3-rc1
v0.27.3-rc2
v0.27.4
v0.28.0
v0.28.0-rc1
v0.28.1
v0.29.0
v0.29.0-rc1
v0.29.1
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.30.0
v0.30.0-rc1
v0.31.0
v0.31.0-rc1
v0.31.1
v0.31.2
v0.32.0
v0.32.0rc1
v0.32.1
v0.32.2
v0.33.0
v0.33.0rc1
v0.33.1
v0.33.2
v0.33.2.1
v0.33.2rc1
v0.33.3
v0.33.3.1
v0.33.3rc1
v0.33.3rc2
v0.33.4
v0.33.4rc1
v0.33.4rc2
v0.33.5
v0.33.5.1
v0.33.5rc1
v0.33.6
v0.33.6rc1
v0.33.7
v0.33.7rc1
v0.33.7rc2
v0.33.8
v0.33.8rc1
v0.33.8rc2
v0.33.9
v0.33.9rc1
v0.34.0
v0.34.0.1
v0.34.0rc1
v0.34.0rc2
v0.34.1
v0.34.1+1
v0.34.1.1
v0.34.1rc1
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.3a
v0.5.3b
v0.5.3c
v0.5.4
v0.5.4a
v0.6.0
v0.6.0a
v0.6.0b
v0.6.1
v0.6.1a
v0.6.1b
v0.6.1c
v0.6.1d
v0.6.1e
v0.6.1f
v0.7.0
v0.7.0a
v0.7.0b
v0.7.0c
v0.7.0d
v0.7.0e
v0.7.0f
v0.7.1
v0.7.1-r1
v0.7.1-r2
v0.7.1-r3
v0.7.1-r4
v0.8.0
v0.8.1
v0.8.1-r1
v0.8.1-r2
v0.8.1-r3
v0.8.1-r4
v0.9.0
v0.9.0-r1
v0.9.0-r2
v0.9.0-r3
v0.9.0-r4
v0.9.0-r5
v0.9.1
v0.9.2
v0.9.2-r1
v0.9.2-r2
v0.9.3
v0.9.3-rc1
v0.9.4-rc1
v0.99.0
v0.99.0rc1
v0.99.0rc2
v0.99.0rc3
v0.99.0rc4
v0.99.1
v0.99.1.1
v0.99.1rc1
v0.99.1rc2
v0.99.2
v0.99.2rc1
v0.99.3
v0.99.3.1
v0.99.3.2
v0.99.3rc1
v0.99.4
v0.99.4rc1
v0.99.5
v0.99.5.1
v0.99.5.1.dev0
v0.99.5.2
v0.99.5rc1
v1.*
v1.0.0
v1.0.0rc1
v1.0.0rc2
v1.0.0rc3
v1.1.0
v1.1.0rc1
v1.1.0rc2
v1.10.0
v1.10.0rc1
v1.10.0rc2
v1.10.0rc3
v1.10.0rc4
v1.10.0rc5
v1.10.1
v1.11.0
v1.11.0rc1
v1.11.1
v1.12.0
v1.12.0rc1
v1.12.1
v1.12.1rc1
v1.12.2
v1.12.3
v1.12.4
v1.12.4rc1
v1.13.0
v1.13.0rc1
v1.13.0rc2
v1.13.0rc3
v1.14.0
v1.14.0rc1
v1.14.0rc2
v1.15.0
v1.15.0rc1
v1.15.1
v1.15.2
v1.16.0
v1.16.0rc1
v1.16.0rc2
v1.16.1
v1.17.0
v1.17.0-mod1-modular-vdhtest2
v1.17.0rc1
v1.18.0
v1.18.0rc1
v1.18.0rc2
v1.19.0
v1.19.0rc1
v1.19.1
v1.19.1rc1
v1.19.2
v1.19.3
v1.2.0
v1.2.0rc1
v1.2.0rc2
v1.2.1
v1.20.0
v1.20.0rc1
v1.20.0rc2
v1.20.0rc3
v1.20.0rc4
v1.20.0rc5
v1.20.1
v1.21.0
v1.21.0rc1
v1.21.0rc2
v1.21.0rc3
v1.21.1
v1.21.2
v1.22.0
v1.22.0rc1
v1.22.0rc2
v1.22.1
v1.23.0
v1.23.0rc1
v1.23.1
v1.24.0
v1.24.0rc1
v1.24.0rc2
v1.25.0
v1.25.0rc1
v1.26.0
v1.26.0-deb
v1.26.0rc1
v1.26.0rc2
v1.27.0
v1.27.0rc1
v1.27.0rc2
v1.28.0
v1.28.0rc1
v1.29.0
v1.29.0rc1
v1.3.0
v1.3.0rc1
v1.3.1
v1.30.0
v1.30.0rc1
v1.30.1
v1.31.0
v1.31.0rc1
v1.32.0
v1.32.0rc1
v1.32.1
v1.32.2
v1.33.0
v1.33.0rc1
v1.33.0rc2
v1.33.1
v1.33.2
v1.34.0
v1.34.0rc1
v1.35.0
v1.35.0rc1
v1.35.0rc2
v1.35.0rc3
v1.35.1
v1.36.0
v1.36.0rc1
v1.36.0rc2
v1.37.0
v1.37.0rc1
v1.37.1
v1.37.1a1
v1.37.1rc1
v1.38.0
v1.38.0rc1
v1.38.0rc2
v1.38.0rc3
v1.38.1
v1.39.0
v1.39.0rc1
v1.39.0rc2
v1.39.0rc3
v1.4.0
v1.4.0rc1
v1.4.0rc2
v1.4.1
v1.4.1rc1
v1.40.0
v1.40.0rc1
v1.40.0rc2
v1.40.0rc3
v1.41.0
v1.41.0rc1
v1.41.1
v1.42.0
v1.42.0rc1
v1.42.0rc2
v1.43.0
v1.43.0rc1
v1.43.0rc2
v1.44.0
v1.44.0rc1
v1.44.0rc2
v1.44.0rc3
v1.45.0
v1.45.0rc1
v1.45.0rc2
v1.45.1
v1.46-modular1
v1.46.0
v1.46.0rc1
v1.47.0
v1.47.0rc1
v1.47.0rc2
v1.47.0rc3
v1.47.1
v1.48.0
v1.48.0rc1
v1.49.0
v1.49.0rc1
v1.49.1
v1.49.2
v1.5.0
v1.5.0rc1
v1.5.0rc2
v1.5.1
v1.5.1_modular_device_hotfix
v1.50.0
v1.50.0rc1
v1.50.0rc2
v1.50.1
v1.50.2
v1.51.0
v1.51.0rc1
v1.51.0rc2
v1.52.0
v1.52.0rc1
v1.53.0
v1.53.0rc1
v1.54.0
v1.54.0rc1
v1.55.0
v1.55.0rc1
v1.55.1
v1.55.2
v1.56.0
v1.56.0rc1
v1.57.0
v1.57.0rc1
v1.57.1
v1.58.0
v1.58.0rc1
v1.58.0rc2
v1.58.1
v1.59.0
v1.59.0rc1
v1.59.0rc2
v1.59.1
v1.6.0
v1.6.0rc1
v1.6.0rc2
v1.6.1
v1.60.0
v1.60.0rc1
v1.60.0rc2
v1.61.0
v1.61.0rc1
v1.61.1
v1.62.0
v1.62.0rc1
v1.62.0rc2
v1.62.0rc3
v1.63.0
v1.63.0rc1
v1.63.1
v1.64.0
v1.64.0rc1
v1.64.0rc2
v1.65.0
v1.65.0.post1.dev1
v1.65.0rc1
v1.65.0rc2
v1.66.0
v1.66.0rc1
v1.66.0rc2
v1.67.0
v1.67.0rc1
v1.68.0
v1.68.0rc1
v1.68.0rc2
v1.69.0
v1.69.0rc1
v1.69.0rc2
v1.69.0rc3
v1.69.0rc4
v1.7.0
v1.7.0rc1
v1.7.0rc2
v1.7.1
v1.7.1_modular_profile_hotfix
v1.7.2
v1.7.3
v1.70.0
v1.70.0rc1
v1.70.0rc2
v1.70.1
v1.71.0
v1.71.0rc1
v1.71.0rc2
v1.72.0
v1.72.0rc1
v1.73.0
v1.73.0rc1
v1.73.0rc2
v1.74.0
v1.74.0rc1
v1.75.0
v1.75.0rc1
v1.75.0rc2
v1.76.0
v1.76.0rc1
v1.76.0rc2
v1.77.0
v1.77.0rc1
v1.77.0rc2
v1.78.0
v1.78.0rc1
v1.79.0
v1.79.0rc1
v1.79.0rc2
v1.8.0
v1.8.0rc1
v1.80.0
v1.80.0rc1
v1.80.0rc2
v1.81.0
v1.81.0rc1
v1.81.0rc2
v1.82.0
v1.82.0rc1
v1.83.0
v1.83.0rc1
v1.84.0
v1.84.0rc1
v1.84.1
v1.85.0rc1
v1.85.0rc2
v1.9.0
v1.9.0.dev1
v1.9.0.dev2
v1.9.0rc1
v1.9.1