x/vulndb: potential Go vuln in github.com/t2bot/matrix-media-repo: GHSA-8vmr-h7h5-cqhg

[GoVulnBot]

Advisory GHSA-8vmr-h7h5-cqhg references a vulnerability in the following Go modules:

Module
github.com/t2bot/matrix-media-repo

Description:

Impact

MMR before version 1.3.5 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository.

Patches

MMR 1.3.5 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticate...

References:

• ADVISORY: GHSA-8vmr-h7h5-cqhg
• ADVISORY: GHSA-8vmr-h7h5-cqhg
• FIX: MSC3916: Authentication for media matrix-org/matrix-spec-proposals#3916

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/t2bot/matrix-media-repo
      versions:
        - fixed: 1.3.5
      vulnerable_at: 1.3.4
summary: |-
    matrix-media-repo (MMR) allows unauthenticated writes to the media repository,
    which may allow planting of problematic content in github.com/t2bot/matrix-media-repo
cves:
    - CVE-2024-36402
ghsas:
    - GHSA-8vmr-h7h5-cqhg
references:
    - advisory: https://github.com/advisories/GHSA-8vmr-h7h5-cqhg
    - advisory: https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-8vmr-h7h5-cqhg
    - fix: https://github.com/matrix-org/matrix-spec-proposals/pull/3916
source:
    id: GHSA-8vmr-h7h5-cqhg
    created: 2025-01-16T20:01:19.935166304Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/642605 mentions this issue: data/reports: add 5 reports