CVE-2023-32683 — Incorrect Authorization in Synapse

CWE-863 — Incorrect Authorization CWE-918 — Server-Side Request Forgery8 documents6 sources

Severity

5.4MEDIUMNVD

CNA3.5OSV5.0

EPSS

0.3%

top 49.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Matrix-org Synapse Matrix Synapse

Timeline

PublishedJun 6

Latest updateApr 22

Description

Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON r…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDmatrix/synapse< 1.85.0

▶CVEListV5matrix-org/synapse< 1.85.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

matrix-synapse vulnerabilities↗2025-04-22

▶

CVEList

URL deny list bypass via oEmbed and image URLs when generating previews in Synapse↗2023-06-06

▶

OSV

CVE-2023-32683: Synapse is a Matrix protocol homeserver written in Python with the Twisted framework↗2023-06-06

▶

OSV

Synapse has URL deny list bypass via oEmbed and image URLs when generating previews↗2023-06-06

▶

GHSA

Synapse has URL deny list bypass via oEmbed and image URLs when generating previews↗2023-06-06

▶

📋Vendor Advisories

Ubuntu

Synapse vulnerabilities↗2025-04-22

▶

Debian

CVE-2023-32683: matrix-synapse - Synapse is a Matrix protocol homeserver written in Python with the Twisted frame...↗2023

▶