CVE-2024-36402

Name of the Vulnerable Software and Affected Versions: Matrix Media Repo versions prior to 1.3.5

Description: The issue allows unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. This makes the content available for download from the local homeserver in an unauthenticated way, allowing unauthenticated remote adversaries to introduce problematic content into the media repository. A partial mitigation is introduced in version 1.3.5 with new endpoints requiring authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.

Recommendations: For versions prior to 1.3.5, consider updating to version 1.3.5 or later, which introduces partial mitigation through new authenticated endpoints for media downloads. As a temporary workaround, server operators can use more strict rate limits based on IP address to limit the potential impact. Restrict access to unauthenticated endpoints until they are frozen in a future release. Avoid using the unauthenticated endpoints for media downloads until the issue is fully resolved.