fkie_cve-2024-56515
Vulnerability from fkie_nvd
Published
2025-01-16 20:15
Modified
2025-01-16 20:15
Severity ?
Summary
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a different decoder in ImageMagick. In some ImageMagick installations, this includes the capability to run Ghostscript to decode the image/file. If MP4 thumbnailers are enabled (also disabled by default), the same issue as above may occur with the ffmpeg installation instead. MMR uses a number of other decoders for all other file types when preparing thumbnails. Theoretical issues are possible with these decoders, however in testing they were not possible to exploit. This is fixed in MMR v1.3.8. MMR now inspects the mimetype of media prior to thumbnailing, and picks a thumbnailer based on those results instead of relying on user-supplied values. This may lead to fewer thumbnails when obscure file shapes are used. This also helps narrow scope of theoretical issues with all decoders MMR uses for thumbnails. Users are advised to upgrade. Users unable to upgrade may disable the SVG, JPEGXL, and MP4 thumbnail types in the MMR config which prevents the decoders from being invoked. Further disabling uncommon file types on the server is recommended to limit risk surface. Containers and other similar technologies may also be used to limit the impact of vulnerabilities in external decoders, like ImageMagick and ffmpeg. Some installations of ImageMagick may disable "unsafe" file types, like PDFs, already. This option can be replicated to other environments as needed. ffmpeg may be compiled with limited decoders/codecs. The Docker image for MMR disables PDFs and similar formats by default.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a different decoder in ImageMagick. In some ImageMagick installations, this includes the capability to run Ghostscript to decode the image/file. If MP4 thumbnailers are enabled (also disabled by default), the same issue as above may occur with the ffmpeg installation instead. MMR uses a number of other decoders for all other file types when preparing thumbnails. Theoretical issues are possible with these decoders, however in testing they were not possible to exploit. This is fixed in MMR v1.3.8. MMR now inspects the mimetype of media prior to thumbnailing, and picks a thumbnailer based on those results instead of relying on user-supplied values. This may lead to fewer thumbnails when obscure file shapes are used. This also helps narrow scope of theoretical issues with all decoders MMR uses for thumbnails. Users are advised to upgrade. Users unable to upgrade may disable the SVG, JPEGXL, and MP4 thumbnail types in the MMR config which prevents the decoders from being invoked. Further disabling uncommon file types on the server is recommended to limit risk surface. Containers and other similar technologies may also be used to limit the impact of vulnerabilities in external decoders, like ImageMagick and ffmpeg. Some installations of ImageMagick may disable \"unsafe\" file types, like PDFs, already. This option can be replicated to other environments as needed. ffmpeg may be compiled with limited decoders/codecs. The Docker image for MMR disables PDFs and similar formats by default."
},
{
"lang": "es",
"value": "Matrix Media Repo (MMR) es un repositorio multimedia para m\u00faltiples servidores dom\u00e9sticos altamente configurable para Matrix. Si los generadores de miniaturas SVG o JPEGXL est\u00e1n habilitados (est\u00e1n deshabilitados de manera predeterminada), un usuario puede cargar un archivo que diga ser de cualquiera de estos tipos y solicitar una miniatura para invocar un decodificador diferente en ImageMagick. En algunas instalaciones de ImageMagick, esto incluye la capacidad de ejecutar Ghostscript para decodificar la imagen/archivo. Si los generadores de miniaturas MP4 est\u00e1n habilitados (tambi\u00e9n deshabilitados de manera predeterminada), puede ocurrir el mismo problema mencionado anteriormente con la instalaci\u00f3n de ffmpeg. MMR usa otros decodificadores para todos los dem\u00e1s tipos de archivos al preparar miniaturas. Es posible que surjan problemas te\u00f3ricos con estos decodificadores, sin embargo, en las pruebas no fue posible explotarlos. Esto se solucion\u00f3 en MMR v1.3.8. MMR ahora inspecciona el tipo MIME de los medios antes de crear miniaturas y elige un generador de miniaturas en funci\u00f3n de esos resultados en lugar de depender de los valores proporcionados por el usuario. Esto puede generar menos miniaturas cuando se usan formas de archivo poco conocidas. Esto tambi\u00e9n ayuda a limitar el alcance de los problemas te\u00f3ricos con todos los decodificadores que utiliza MMR para las miniaturas. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden deshabilitar los tipos de miniatura SVG, JPEGXL y MP4 en la configuraci\u00f3n de MMR, lo que evita que se invoquen los decodificadores. Se recomienda deshabilitar a\u00fan m\u00e1s los tipos de archivos poco comunes en el servidor para limitar la superficie de riesgo. Tambi\u00e9n se pueden usar contenedores y otras tecnolog\u00edas similares para limitar el impacto de las vulnerabilidades en decodificadores externos, como ImageMagick y ffmpeg. Algunas instalaciones de ImageMagick ya pueden deshabilitar los tipos de archivos \"inseguros\", como los PDF. Esta opci\u00f3n se puede replicar en otros entornos seg\u00fan sea necesario. ffmpeg se puede compilar con decodificadores/c\u00f3decs limitados. La imagen de Docker para MMR deshabilita los PDF y formatos similares de forma predeterminada."
}
],
"id": "CVE-2024-56515",
"lastModified": "2025-01-16T20:15:33.197",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-01-16T20:15:33.197",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-rcxc-wjgw-579r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.