Vulnerability Description
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. This is fixed in MMR v1.3.8. Users are advised to upgrade. Restricting which hosts MMR is allowed to contact via (local) firewall rules or a transparent proxy and may provide a workaround for users unable to upgrade.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| T2Bot | Matrix-Media-Repo | < 1.3.8 |
Related Weaknesses (CWE)
References
- https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8Release Notes
- https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-r6jg-jfv6-2fVendor Advisory
- https://learn.snyk.io/lesson/ssrf-server-side-request-forgeryTechnical Description
- https://owasp.org/www-community/attacks/Server_Side_Request_ForgeryTechnical Description
- https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golangTechnical Description
FAQ
What is CVE-2024-52602?
CVE-2024-52602 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private netw...
How severe is CVE-2024-52602?
CVE-2024-52602 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-52602?
Check the references section above for vendor advisories and patch information. Affected products include: T2Bot Matrix-Media-Repo.