2330195 – (CVE-2024-37303) CVE-2024-37303 matrix-synapse: Synapse unauthenticated writes to the media repository allow planting of problematic content

Bug 2330195 (CVE-2024-37303) - CVE-2024-37303 matrix-synapse: Synapse unauthenticated writes to the media repository allow planting of problematic content

Summary: CVE-2024-37303 matrix-synapse: Synapse unauthenticated writes to the media re...

Keywords:
Status:	NEW
Alias:	CVE-2024-37303
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-12-03 18:01 UTC by OSIDB Bzimport
Modified:	2024-12-03 21:00 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-12-03 18:01:11 UTC

Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.

Note You need to log in before you can comment on or make changes to this bug.