| Severity |
|
| Type |
| - |
Unknown |
| + |
Directory traversal |
|
| Description |
| + |
Synapse instances before version 1.47.1 with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory, potentially outside the media store directory. |
| + |
|
| + |
The last two directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. |
| + |
|
| + |
Homeservers with the media repository disabled are unaffected. Homeservers configured with a federation whitelist are also unaffected. |
|
| References |
| + |
https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c |
| + |
https://github.com/matrix-org/synapse/commit/91f2bd0907f1d05af67166846988e49644eb650c |
|
| Notes |
| + |
Workaround |
| + |
========== |
| + |
|
| + |
Server administrators using a reverse proxy could, at the expense of losing media functionality, block the following endpoints: |
| + |
|
| + |
/_matrix/media/r0/download/{serverName}/{mediaId} |
| + |
/_matrix/media/r0/download/{serverName}/{mediaId}/{fileName} |
| + |
/_matrix/media/r0/thumbnail/{serverName}/{mediaId} |
| + |
|
| + |
Alternatively, non-containerized deployments can be adapted to use the hardened systemd config, which is enabled by default for the Arch Linux package. |
|