CVE-2024-37302
CVSS 3.1 Score 7.5 of 10 (high)
Details
Summary
CVE-2024-37302 is a vulnerability affecting Synapse, an open-source Matrix homeserver. Unauthenticated adversaries can exploit this issue by inducing Synapse to download and cache large amounts of remote media, leading to a denial of service. The default rate limit strategy for Synapse is insufficient to prevent this, allowing attackers to cause media uploads and downloads to fail or even render the Synapse process completely unavailable. Synapse version 1.106 introduces a new "leaky bucket" rate limit on remote media downloads, which partially mitigates the issue but doesn't fully address it as attackers can still request large amounts of data to be cached.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.