CVE-2024-52602

Aliases:GHSA-r6jg-jfv6-2fjvGO-2025-3399
Advisory lineage Upstream: 0 Downstream: 2
Analyzed
Published: 16 Jan 2025, 19:14
Last modified:12 Feb 2025, 20:31

Vulnerability Summary

Overall Risk (default)
low
21/100
CVSS Score
5.3 MEDIUM
v3.1 (nvd)
EPSS Score
0.12% LOW
0% probability -0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

16 Jan 2025, 19:14
Published
Vulnerability first disclosed
12 Feb 2025, 20:31
Last Modified
Vulnerability information updated

Description

Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. This is fixed in MMR v1.3.8. Users are advised to upgrade. Restricting which hosts MMR is allowed to contact via (local) firewall rules or a transparent proxy and may provide a workaround for users unable to upgrade.

CVSS Metrics

  • v3.1MEDIUMScore: 5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.12% Percentile: 31%

Techniques & Countermeasures

  • CWE-918Server-Side Request Forgery (SSRF)

    The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Systems

  • github.com/t2botmatrix-media-repo

    < 1.3.8

  • t2botmatrix-media-repo

    < 1.3.8

References (8)