CVE-2024-52594

Jan. 16, 2025, 7:15 p.m.

4.3
Medium

Description

Gomatrixserverlib is a Go library for matrix federation. Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. The commit `c4f1e01` fixes this issue. Users are advised to upgrade. Users unable to upgrade should use a local firewall to limit the network segments and hosts the service using gomatrixserverlib can access.

Product(s) Impacted

Product Versions
UNKNOWN

Weaknesses

CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References

https://github.com/matrix-org/gomatrixserverlib/commit/c4f1e01eab0dd435709ad15463ed38a079ad6128
https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-4ff6-858j-r822

Tags

security-advisories@github.com
CWE-918
2025-01-16
CVE-2024-52594

CVSS Score

4.3 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Date

  • Published: Jan. 16, 2025, 7:15 p.m.
  • Last Modified: Jan. 16, 2025, 7:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.