Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.
History

Tue, 03 Dec 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Element-hq
Element-hq synapse
CPEs cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
Vendors & Products Element-hq
Element-hq synapse
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 03 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Description Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.
Title Synapse unauthenticated writes to the media repository allow planting of problematic content
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-12-03T17:06:02.467Z

Updated: 2024-12-03T18:51:29.590Z

Reserved: 2024-06-05T20:10:46.497Z

Link: CVE-2024-37303

cve-icon Vulnrichment

Updated: 2024-12-03T18:50:46.020Z

cve-icon NVD

Status : Received

Published: 2024-12-03T17:15:10.890

Modified: 2024-12-03T17:15:10.890

Link: CVE-2024-37303

cve-icon Redhat

No data.