SB20241203115 - Multiple vulnerabilities in Synapse
Published: December 3, 2024 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Interpretation Conflict (CVE-ID: CVE-2024-53863)
CWE-ID: CWE-436 - Interpretation Conflict
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to invoke potentially untrustworthy decoders.
The vulnerability exists due to improper restriction of processed file formats in thumbnail generation when processing a specially crafted request. A remote attacker can send a specially crafted request to invoke potentially untrustworthy decoders.
Instances with the dynamic_thumbnails option enabled are affected.
2) Input validation error (CVE-ID: CVE-2024-52815)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in invite validation over federation when processing invites received over federation. A remote attacker can send a specially crafted invite to cause a denial of service.
The issue can disrupt the invited user's /sync functionality.
3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2024-52805)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in multipart/form-data request handling when processing unsupported multipart/form-data requests. A remote attacker can send a specially crafted request to cause a denial of service.
Only certain configurations are vulnerable, and memory consumption may transiently increase beyond expected levels while the request is being processed.
4) Exposure of Sensitive System Information to an Unauthorized Control Sphere (CVE-ID: CVE-2024-53867)
CWE-ID: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the Sliding Sync feature when handling synchronization requests for users no longer in a room. A remote user can request synchronization data to disclose sensitive information.
Only partial room state changes are exposed; non-state events such as messages are not affected.
Remediation
Install update from vendor's website.
References
- https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g
- https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h
- https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2
- https://github.com/advisories/GHSA-rfq8-j7rh-8hf2
- https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h
- https://github.com/advisories/GHSA-56w4-5538-8v8h