CVE-2024-37303

Publication date 3 December 2024

Last updated 11 July 2025


Ubuntu priority

Cvss 3 Severity Score

5.3 · Medium

Score breakdown

Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.

Read the notes from the security team

Status

Package Ubuntu Release Status
matrix-synapse 24.10 oracular Ignored end of life, was deferred [7/4/2025]
24.04 LTS noble
Vulnerable, fix deferred
22.04 LTS jammy
Vulnerable, fix deferred
20.04 LTS focal
Vulnerable, fix deferred
18.04 LTS bionic
Vulnerable, fix deferred

Notes


john-breton

The linked PR is a specification change and does not include code changes as of 7/4/2025. May be possible to extract the fix from the 1.106.0-1 source, but unlikely.

Severity score breakdown

Parameter Value
Base score 5.3 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N