CVE-2024-36402
CVSS 3.1 Score 5.3 of 10 (medium)
Details
Summary
CVE-2024-36402 affects Matrix Media Repo (MMR) versions prior to 1.3.5. This vulnerability allows unauthenticated remote participants to trigger media downloads from remote servers and cache them in the local media repository. Subsequently, this content can be accessed without authentication from the local server. Adversaries can exploit this issue to plant problematic content in the media repository. MMR introduces new endpoints requiring authentication for media downloads in version 1.3.5. The unauthenticated endpoints will be frozen in a future release, eliminating the attack vector. As a temporary measure, server operators can implement stricter rate limits based on IP addresses.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.