CVE-2024-37303Missing Authentication for Critical Function in Synapse

CWE-306Missing Authentication for Critical Function6 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.5%
top 34.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Element-hq SynapseMatrix Synapse
Timeline
PublishedDec 3

Description

Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 in

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDmatrix/synapse< 1.106.0
CVEListV5element-hq/synapse< 1.106

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
Synapse's unauthenticated writes to the media repository allow planting of problematic content2024-12-03
CVEList
Synapse unauthenticated writes to the media repository allow planting of problematic content2024-12-03
GHSA
Synapse's unauthenticated writes to the media repository allow planting of problematic content2024-12-03
OSV
CVE-2024-37303: Synapse is an open-source Matrix homeserver2024-12-03

📋Vendor Advisories

1
Debian
CVE-2024-37303: matrix-synapse - Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows...2024
CVE-2024-37303 — Element-hq Synapse vulnerability | cvebase