SB20241203116 - Multiple vulnerabilities in Synapse

Description

This security bulletin contains information about 2 vulnerabilities.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2024-37303)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to plant problematic content in the media repository.

The vulnerability exists due to missing authentication for critical functionality in the media repository download endpoints when triggering download and caching of remote media from a remote homeserver. A remote attacker can cause the server to fetch and cache remote media to plant problematic content in the media repository.

The planted content then becomes available for unauthenticated download from the local homeserver.

2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2024-37302)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in remote media caching when handling requests for remote media downloads. A remote attacker can request large amounts of remote media to cause a denial of service.

The issue can fill disk space and may result in failed media uploads or downloads, or complete unavailability of the Synapse process depending on deployment.

Remediation

Install update from vendor's website.

References

• https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr
• https://github.com/advisories/GHSA-gjgr-7834-rhxr
• https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x
• https://github.com/advisories/GHSA-4mhg-xv73-xq2x