{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37303", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-05T20:10:46.497Z", "datePublished": "2024-12-03T17:06:02.467Z", "dateUpdated": "2024-12-03T18:51:29.590Z"}, "containers": {"cna": {"title": "Synapse unauthenticated writes to the media repository allow planting of problematic content", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr"}, {"name": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916", "tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916"}], "affected": [{"vendor": "element-hq", "product": "synapse", "versions": [{"version": "< 1.106", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-03T17:06:02.467Z"}, "descriptions": [{"lang": "en", "value": "Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector."}], "source": {"advisory": "GHSA-gjgr-7834-rhxr", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "element-hq", "product": "synapse", "cpes": ["cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.106", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-03T18:49:29.668536Z", "id": "CVE-2024-37303", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-03T18:51:29.590Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37303", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-03T18:49:29.668536Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"], "vendor": "element-hq", "product": "synapse", "versions": [{"status": "affected", "version": "0", "lessThan": "1.106", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-03T18:50:46.020Z"}}], "cna": {"title": "Synapse unauthenticated writes to the media repository allow planting of problematic content", "source": {"advisory": "GHSA-gjgr-7834-rhxr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "element-hq", "product": "synapse", "versions": [{"status": "affected", "version": "< 1.106"}]}], "references": [{"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr", "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916", "name": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-03T17:06:02.467Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37303", "state": "PUBLISHED", "dateUpdated": "2024-12-03T18:51:29.590Z", "dateReserved": "2024-06-05T20:10:46.497Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-12-03T17:06:02.467Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7574431-51E3-465D-A1B9-5D05FD28160B", "versionEndExcluding": "1.106.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector."}, {"lang": "es", "value": "Synapse es un servidor dom\u00e9stico Matrix de c\u00f3digo abierto. La versi\u00f3n 1.106 de Synapse permite, por dise\u00f1o, que los participantes remotos no autenticados activen una descarga y un almacenamiento en cach\u00e9 de contenido multimedia remoto desde un servidor dom\u00e9stico remoto al repositorio de contenido multimedia local. Dicho contenido tambi\u00e9n se vuelve disponible para su descarga desde el servidor dom\u00e9stico local de forma no autenticada. La implicaci\u00f3n es que los adversarios remotos no autenticados pueden usar esta funcionalidad para introducir contenido problem\u00e1tico en el repositorio de contenido multimedia. La versi\u00f3n 1.106 de Synapse introduce una mitigaci\u00f3n parcial en forma de nuevos endpoints que requieren autenticaci\u00f3n para las descargas de contenido multimedia. Los endpoints no autenticados se congelar\u00e1n en una versi\u00f3n futura, lo que cerrar\u00e1 el vector de ataque."}], "id": "CVE-2024-37303", "lastModified": "2025-08-26T15:09:47.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-12-03T17:15:10.890", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}