{
  "schema_version": "1.4.0",
  "id": "GHSA-vp6v-whfm-rv3g",
  "modified": "2024-12-03T18:44:00Z",
  "published": "2024-12-03T18:44:00Z",
  "aliases": [
    "CVE-2024-53863"
  ],
  "summary": "Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders",
  "details": "### Impact\n\nIn Synapse versions before 1.120.1, enabling the `dynamic_thumbnails` option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing.\n\nThis significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem.\n\nFor a list of image formats, as well as decoding libraries and helper programs used, see [the Pillow documentation](https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html).\n\n### Patches\n\nSynapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP.\n\n### Workarounds\n\n- Ensure any image codecs and helper programs, such as Ghostscript, are patched against security vulnerabilities.\n- Uninstall unused image decoder libraries and helper programs, such as Ghostscript, from the system environment that Synapse is running in.\n    - Depending on the installation method, there may be some decoder libraries bundled with Pillow and these cannot be easily uninstalled.\n    - The official Docker container image does not include Ghostscript.\n\n### References\n\n- [The Pillow documentation](https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html) includes a list of supported image formats and which libraries or helper programs are used to decode them.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).\n",
  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.120.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53863"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/element-hq/synapse"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-03T18:44:00Z",
    "nvd_published_at": "2024-12-03T17:15:12Z"
  }
}