CVE-2024-37303

EPSS 0.15%
Published 03.12.2024 17:15:10
Last modified 26.08.2025 15:09:47
Source security-advisories@github.com
Teams watchlist Login
Open Login

Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Matrix ≫ Synapse Version < 1.106.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.15%	0.358

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr

Vendor Advisory

https://github.com/matrix-org/matrix-spec-proposals/pull/3916

Patch

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-37303

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-37303

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-37303

EUVD