{"vulnerability": "CVE-2023-32683", "sightings": [{"uuid": "69c28b59-134b-495a-850c-b664f80a8883", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-32683", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/452", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-32683\n\ud83d\udd39 Description: Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews.\n\ud83d\udccf Published: 2023-06-06T18:24:30.457Z\n\ud83d\udccf Modified: 2025-01-07T16:26:12.352Z\n\ud83d\udd17 References:\n1. https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc\n2. https://github.com/matrix-org/synapse/pull/15601\n3. https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/", "creation_timestamp": "2025-01-07T16:37:28.000000Z"}]}