This problem has been around since the very first public release of Synapse in February 2013, and it is unlikely to be fixed in the near future. If you are using URL previews, then you should lower your server's stack size to prevent your server from crashing. See [Stack size recommendations](https://matrix.org/docs/software-matrix-org/matrix-org-server-reference/#stack-size-recommendations) for information on the recommended stack size for your server.
Update to new versions of Synapse
The new version of Synapse introduced many improvements, including a much-improved user interface. These improvements will not be available in the vulnerable versions of Synapse.
What is the origin of this issue?
The issue was brought to our attention during a bug bounty program. This vulnerability is due to an API call that doesn't check whether the input given is safe. The API call that is responsible for this vulnerability allows any user with a Matrix ID to query the URL previews endpoint and retrieve the URL preview.
FTP Synapse vulnerabilities
The Synapse project team is aware of a potential vulnerability in the FTP daemon, which may allow an attacker to cause a denial-of-service (DoS) or potentially gain control of the server.
If you are using FTP on your Synapse server, please upgrade to version 0.11.3 or later as soon as possible.
Timeline
Published on: 06/28/2022 17:15:00 UTC
Last modified on: 07/09/2022 00:15:00 UTC
References
- https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32
- https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url
- https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31052