Alpine: multiple synapse packages: security update to 1.120.1

high Tenable Cloud Security Plugin ID 427536

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can
in certain configurations transiently increase memory consumption beyond expected levels while processing
the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by
denying requests with unsupported multipart/form-data content type. (CVE-2024-52805)

- Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate
invites received over federation. This vulnerability allows a malicious server to send a specially crafted
invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites
received over federation and restores the ability to sync for affected users. (CVE-2024-52815)

- Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the
dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and
thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for
processing. This significantly expands the attack surface in a historically vulnerable area, presenting a
risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or
within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to
images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in
1.120.1. (CVE-2024-53863)

- Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between
1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events,
like messages, are unaffected. This vulnerability is fixed in 1.120.1. (CVE-2024-53867)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-52805

https://security.alpinelinux.org/vuln/CVE-2024-52815

https://security.alpinelinux.org/vuln/CVE-2024-53863

https://security.alpinelinux.org/vuln/CVE-2024-53867

Plugin Details

Severity: High

ID: 427536

Version: Revision 1.11

Type: Local

Published: 5/16/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.37

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2024-53863

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2024-52815

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/3/2024

Reference Information

CVE: CVE-2024-52805, CVE-2024-52815, CVE-2024-53863, CVE-2024-53867