logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-53863 matrix-synapse

Package

Manager: pip
Name: matrix-synapse
Vulnerable Version: >=0 <1.120.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.00067 pctl0.21071

Details

Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders ### Impact In Synapse versions before 1.120.1, enabling the `dynamic_thumbnails` option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. For a list of image formats, as well as decoding libraries and helper programs used, see [the Pillow documentation](https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html). ### Patches Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. ### Workarounds - Ensure any image codecs and helper programs, such as Ghostscript, are patched against security vulnerabilities. - Uninstall unused image decoder libraries and helper programs, such as Ghostscript, from the system environment that Synapse is running in. - Depending on the installation method, there may be some decoder libraries bundled with Pillow and these cannot be easily uninstalled. - The official Docker container image does not include Ghostscript. ### References - [The Pillow documentation](https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html) includes a list of supported image formats and which libraries or helper programs are used to decode them. ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).

Metadata

Created: 2024-12-03T18:44:00Z
Modified: 2024-12-03T18:44:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-vp6v-whfm-rv3g/GHSA-vp6v-whfm-rv3g.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-vp6v-whfm-rv3g
Finding: F027
Auto approve: 1