5.3
CVE-2024-52602
- EPSS 0.55%
- Veröffentlicht 16.01.2025 20:15:32
- Zuletzt bearbeitet 20.08.2025 14:55:47
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginServer-Side Request Forgery (SSRF) on redirects and federation in Matrix Media Repo
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. This is fixed in MMR v1.3.8. Users are advised to upgrade. Restricting which hosts MMR is allowed to contact via (local) firewall rules or a transparent proxy and may provide a workaround for users unable to upgrade.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
T2bot ≫ Matrix-media-repo Version < 1.3.8
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.55% | 0.417 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| security-advisories@github.com | 5 | 3.1 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8
https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-r6jg-jfv6-2fjv
https://learn.snyk.io/lesson/ssrf-server-side-request-forgery
https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang