{"url":"http://public2.vulnerablecode.io/api/packages/117412?format=json","purl":"pkg:apk/alpine/synapse@1.120.2-r0?arch=armv7&distroversion=v3.23&reponame=community","type":"apk","namespace":"alpine","name":"synapse","version":"1.120.2-r0","qualifiers":{"arch":"armv7","distroversion":"v3.23","reponame":"community"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.127.1-r0","latest_non_vulnerable_version":"1.152.1-r0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44711?format=json","vulnerability_id":"VCID-f96c-qram-33cg","summary":"Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53867","reference_id":"","reference_type":"","scores":[{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.32534","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53867"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995","reference_id":"1088995","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995"},{"reference_url":"https://github.com/matrix-org/matrix-spec-proposals/pull/4186","reference_id":"4186","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:07:06Z/"}],"url":"https://github.com/matrix-org/matrix-spec-proposals/pull/4186"},{"reference_url":"https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h","reference_id":"GHSA-56w4-5538-8v8h","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:07:06Z/"}],"url":"https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/117412?format=json","purl":"pkg:apk/alpine/synapse@1.120.2-r0?arch=armv7&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/synapse@1.120.2-r0%3Farch=armv7&distroversion=v3.23&reponame=community"}],"aliases":["CVE-2024-53867"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f96c-qram-33cg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43400?format=json","vulnerability_id":"VCID-hqwh-2un3-bqd8","summary":"Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52815","reference_id":"","reference_type":"","scores":[{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.5808","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52815"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995","reference_id":"1088995","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995"},{"reference_url":"https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h","reference_id":"GHSA-f3r3-h2mq-hx2h","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:05:32Z/"}],"url":"https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/117412?format=json","purl":"pkg:apk/alpine/synapse@1.120.2-r0?arch=armv7&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/synapse@1.120.2-r0%3Farch=armv7&distroversion=v3.23&reponame=community"}],"aliases":["CVE-2024-52815"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hqwh-2un3-bqd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43596?format=json","vulnerability_id":"VCID-s1jf-x5ug-jqcq","summary":"Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52805","reference_id":"","reference_type":"","scores":[{"value":"0.01089","scoring_system":"epss","scoring_elements":"0.7834","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52805"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995","reference_id":"1088995","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995"},{"reference_url":"https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518","reference_id":"4688#issuecomment-1167705518","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/"}],"url":"https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518"},{"reference_url":"https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609","reference_id":"4688#issuecomment-2385711609","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/"}],"url":"https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609"},{"reference_url":"https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2","reference_id":"GHSA-rfq8-j7rh-8hf2","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/"}],"url":"https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/117412?format=json","purl":"pkg:apk/alpine/synapse@1.120.2-r0?arch=armv7&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/synapse@1.120.2-r0%3Farch=armv7&distroversion=v3.23&reponame=community"}],"aliases":["CVE-2024-52805"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s1jf-x5ug-jqcq"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/synapse@1.120.2-r0%3Farch=armv7&distroversion=v3.23&reponame=community"}