CVE-2022-41952Uncontrolled Resource Consumption in Synapse

CWE-400Uncontrolled Resource ConsumptionCWE-772Missing Release of Resource after Effective Lifetime6 documents5 sources
Severity
5.3MEDIUMNVD
CNA6.5
EPSS
0.5%
top 33.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Matrix-org SynapseMatrix Synapse
Timeline
PublishedNov 22

Description

Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after `max_spider_size` (default: 10M) bytes have been downloaded, which can in some cases lead to long-lived connections towards the streaming media server (for instance, Icecast). This can cause excessive traffic and connections toward such servers if their stream URL is, for example, posted to a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDmatrix/synapse< 1.53.0
CVEListV5matrix-org/synapse< 1.53.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2022-41952: Synapse before 12022-11-22
CVEList
Uncontrolled Resource Consumption in Matrix Synapse2022-11-22
OSV
Uncontrolled Resource Consumption in Matrix Synapse2022-04-01
GHSA
Uncontrolled Resource Consumption in Matrix Synapse2022-04-01

📋Vendor Advisories

1
Debian
CVE-2022-41952: matrix-synapse - Synapse before 1.52.0 with URL preview functionality enabled will attempt to gen...2022
CVE-2022-41952 — Uncontrolled Resource Consumption | cvebase