CVE-2024-37303

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Dec 3, 2024
CWE ID 306

Summary

CVE-2024-37303 is a vulnerability affecting the Synapse open-source Matrix homeserver. Prior to version 1.106, Synapse allowed unauthenticated remote participants to trigger media downloads and caching from remote servers, making the locally stored media accessible without authentication. Malicious actors could exploit this design flaw to plant harmful content into the media repository, posing a security risk. Synapse introduced a mitigation in version 1.106 with new authentication-required media download endpoints. The unauthenticated endpoints will be frozen in a future release, eliminating the attack vector.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share