CVE-2024-37303

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.106

Description Synapse, an open-source Matrix homeserver, allows unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. This functionality enables unauthenticated remote adversaries to plant problematic content into the media repository, making it available for download from the local homeserver in an unauthenticated way. A partial mitigation is introduced in Synapse version 1.106, which includes new endpoints requiring authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.

Recommendations For Synapse versions prior to 1.106, update to version 1.106 or later to introduce partial mitigation through new authenticated endpoints for media downloads. As a temporary workaround, consider using more strict rate limits based on IP address to limit the potential impact.