Vulnerability-Lookup

CVE-2024-53863 (GCVE-0-2024-53863)

Vulnerability from cvelistv5 – Published: 2024-12-03 16:48 – Updated: 2024-12-03 19:08

Title

Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders

Summary

Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.

Severity ?

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-434 - Unrestricted Upload of File with Dangerous Type

Assigner

GitHub_M

References

URL

Tags

https://github.com/element-hq/synapse/security/ad…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	element-hq	synapse	Affected: < 1.120.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "synapse",
            "vendor": "element-hq",
            "versions": [
              {
                "lessThan": "1.120.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53863",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-03T19:07:32.536899Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-03T19:08:30.218Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "synapse",
          "vendor": "element-hq",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.120.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-03T16:48:29.722Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g"
        }
      ],
      "source": {
        "advisory": "GHSA-vp6v-whfm-rv3g",
        "discovery": "UNKNOWN"
      },
      "title": "Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-53863",
    "datePublished": "2024-12-03T16:48:29.722Z",
    "dateReserved": "2024-11-22T17:30:02.145Z",
    "dateUpdated": "2024-12-03T19:08:30.218Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53863\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-03T19:07:32.536899Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*\"], \"vendor\": \"element-hq\", \"product\": \"synapse\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.120.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-03T19:08:17.948Z\"}}], \"cna\": {\"title\": \"Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders\", \"source\": {\"advisory\": \"GHSA-vp6v-whfm-rv3g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"element-hq\", \"product\": \"synapse\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.120.1\"}]}], \"references\": [{\"url\": \"https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g\", \"name\": \"https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434: Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-12-03T16:48:29.722Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-53863\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-03T19:08:30.218Z\", \"dateReserved\": \"2024-11-22T17:30:02.145Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-12-03T16:48:29.722Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-VP6V-WHFM-RV3G

Vulnerability from github – Published: 2024-12-03 18:44 – Updated: 2024-12-03 18:44

Summary

Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders

Details

Impact

In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing.

This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem.

For a list of image formats, as well as decoding libraries and helper programs used, see the Pillow documentation.

Patches

Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP.

Workarounds

Ensure any image codecs and helper programs, such as Ghostscript, are patched against security vulnerabilities.
Uninstall unused image decoder libraries and helper programs, such as Ghostscript, from the system environment that Synapse is running in.
- Depending on the installation method, there may be some decoder libraries bundled with Pillow and these cannot be easily uninstalled.
- The official Docker container image does not include Ghostscript.

References

The Pillow documentation includes a list of supported image formats and which libraries or helper programs are used to decode them.

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

Severity ?

8.2 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.120.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-53863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-03T18:44:00Z",
    "nvd_published_at": "2024-12-03T17:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn Synapse versions before 1.120.1, enabling the `dynamic_thumbnails` option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing.\n\nThis significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem.\n\nFor a list of image formats, as well as decoding libraries and helper programs used, see [the Pillow documentation](https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html).\n\n### Patches\n\nSynapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP.\n\n### Workarounds\n\n- Ensure any image codecs and helper programs, such as Ghostscript, are patched against security vulnerabilities.\n- Uninstall unused image decoder libraries and helper programs, such as Ghostscript, from the system environment that Synapse is running in.\n    - Depending on the installation method, there may be some decoder libraries bundled with Pillow and these cannot be easily uninstalled.\n    - The official Docker container image does not include Ghostscript.\n\n### References\n\n- [The Pillow documentation](https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html) includes a list of supported image formats and which libraries or helper programs are used to decode them.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).\n",
  "id": "GHSA-vp6v-whfm-rv3g",
  "modified": "2024-12-03T18:44:00Z",
  "published": "2024-12-03T18:44:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53863"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/element-hq/synapse"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders"
}

FKIE_CVE-2024-53863

Vulnerability from fkie_nvd - Published: 2024-12-03 17:15 - Updated: 2025-08-26 14:59

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g	Vendor Advisory

Impacted products

	Vendor	Product	Version
	matrix	synapse	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EBEE834-2AD8-446B-8103-40C4F70A026F",
              "versionEndExcluding": "1.120.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1."
    },
    {
      "lang": "es",
      "value": "Synapse es un servidor dom\u00e9stico Matrix de c\u00f3digo abierto. En las versiones de Synapse anteriores a la 1.120.1, habilitar la opci\u00f3n dynamic_thumbnails o procesar una solicitud especialmente manipulada pod\u00eda activar la decodificaci\u00f3n y la generaci\u00f3n de miniaturas de formatos de imagen poco comunes, lo que podr\u00eda invocar herramientas externas como Ghostscript para su procesamiento. Esto ampl\u00eda significativamente la superficie de ataque en un \u00e1rea hist\u00f3ricamente vulnerable, lo que presenta un riesgo que supera con creces el beneficio, en particular porque estos formatos rara vez se utilizan en la web abierta o dentro del ecosistema Matrix. Synapse 1.120.1 soluciona el problema al restringir la generaci\u00f3n de miniaturas a im\u00e1genes en los siguientes formatos ampliamente utilizados: PNG, JPEG, GIF y WebP. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 1.120.1."
    }
  ],
  "id": "CVE-2024-53863",
  "lastModified": "2025-08-26T14:59:05.573",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-03T17:15:12.633",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-53863 (GCVE-0-2024-53863)

GHSA-VP6V-WHFM-RV3G

Impact

Patches

Workarounds

References

For more information

FKIE_CVE-2024-53863

Tags

Sightings

Nomenclature