CVE-2024-37303: Synapse's unauthenticated writes to the media repository allow planting of problematic content

December 3, 2024

Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository.

References

github.com/advisories/GHSA-gjgr-7834-rhxr
github.com/element-hq/synapse
github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr
github.com/matrix-org/matrix-spec-proposals/pull/3916
nvd.nist.gov/vuln/detail/CVE-2024-37303

Detect and mitigate CVE-2024-37303 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →