{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"critical"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-37302","title":"Title"},{"category":"description","text":"Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new \"leaky bucket\" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-37302","url":"https://www.suse.com/security/cve/CVE-2024-37302"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1234110 for CVE-2024-37302","url":"https://bugzilla.suse.com/1234110"}],"title":"SUSE CVE CVE-2024-37302","tracking":{"current_release_date":"2025-08-26T23:26:58Z","generator":{"date":"2024-12-04T03:58:35Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-37302","initial_release_date":"2024-12-04T03:58:35Z","revision_history":[{"date":"2024-12-04T03:58:35Z","number":"2","summary":"Current version"},{"date":"2024-12-05T00:30:02Z","number":"3","summary":"Current version"},{"date":"2025-01-01T01:02:10Z","number":"4","summary":"Current version"},{"date":"2025-02-14T04:54:41Z","number":"5","summary":"Current version"},{"date":"2025-02-16T04:46:52Z","number":"6","summary":"Current version"},{"date":"2025-03-15T05:02:22Z","number":"7","summary":"Current version"},{"date":"2025-08-26T23:26:58Z","number":"8","summary":"Current version"}],"status":"interim","version":"8"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"matrix-synapse-1.120.2-1.1","product":{"name":"matrix-synapse-1.120.2-1.1","product_id":"matrix-synapse-1.120.2-1.1","product_identification_helper":{"cpe":"cpe:2.3:a:matrix:synapse:1.120.2:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/matrix-synapse@1.120.2-1.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"matrix-synapse-1.120.2-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:matrix-synapse-1.120.2-1.1"},"product_reference":"matrix-synapse-1.120.2-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2024-37302","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-37302"}],"notes":[{"category":"general","text":"Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new \"leaky bucket\" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Tumbleweed:matrix-synapse-1.120.2-1.1"]},"references":[{"category":"external","summary":"CVE-2024-37302","url":"https://www.suse.com/security/cve/CVE-2024-37302"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1234110 for CVE-2024-37302","url":"https://bugzilla.suse.com/1234110"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:matrix-synapse-1.120.2-1.1"]}],"threats":[{"category":"impact","date":"2024-12-03T17:45:09Z","details":"critical"}],"title":"CVE-2024-37302"}]}