CVE-2024-37303

EPSS 0.15%
Veröffentlicht 03.12.2024 17:15:10
Zuletzt bearbeitet 26.08.2025 15:09:47
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Matrix ≫ Synapse Version < 1.106.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.358

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr

Vendor Advisory

https://github.com/matrix-org/matrix-spec-proposals/pull/3916

Patch

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-37303

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-37303

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-37303

EUVD