CVE-2022-31052Uncontrolled Recursion in Synapse

CWE-674Uncontrolled Recursion6 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.7%
top 26.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix-org SynapseMatrix SynapseFedoraproject Fedora
Timeline
PublishedJun 28
Latest updateJun 29

Description

Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether. It is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URL

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDmatrix/synapse< 1.61.1
CVEListV5matrix-org/synapse< 1.61.1

Also affects: Fedora 35, 36

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
URL previews of unusual or maliciously-crafted pages can crash Synapse media repositories or Synapse monoliths2022-06-29
GHSA
URL previews of unusual or maliciously-crafted pages can crash Synapse media repositories or Synapse monoliths2022-06-29
CVEList
URL previews can crash Synapse media repositories or Synapse monoliths2022-06-28
OSV
CVE-2022-31052: Synapse is an open source home server implementation for the Matrix chat network2022-06-28

📋Vendor Advisories

1
Debian
CVE-2022-31052: matrix-synapse - Synapse is an open source home server implementation for the Matrix chat network...2022
CVE-2022-31052 — Uncontrolled Recursion in Synapse | cvebase