2330185 – (CVE-2024-53863) CVE-2024-53863 matrix-synapse: Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders

Bug 2330185 (CVE-2024-53863) - CVE-2024-53863 matrix-synapse: Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders

Summary: CVE-2024-53863 matrix-synapse: Synapse can be forced to thumbnail unexpected ...

Keywords:
Status:	NEW
Alias:	CVE-2024-53863
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2330239 2330240
Blocks:
TreeView+	depends on / blocked

Reported:	2024-12-03 17:01 UTC by OSIDB Bzimport
Modified:	2024-12-03 20:56 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-12-03 17:01:09 UTC

Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.

Note You need to log in before you can comment on or make changes to this bug.