Vulnerability Details : CVE-2021-29432
Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.
Vulnerability category: Input validation
Products affected by CVE-2021-29432
- cpe:2.3:a:matrix:sydent:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-29432
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-29432
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
|
5.7
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N |
2.1
|
3.6
|
NIST | |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2021-29432
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2021-29432
-
https://github.com/matrix-org/sydent/commit/4469d1d42b2b1612b70638224c07e19623039c42
Randomise multipart boundary, and include mxids in invite email notifs · matrix-org/sydent@4469d1d · GitHubPatch;Third Party Advisory
-
https://pypi.org/project/matrix-sydent/
matrix-sydent · PyPIProduct;Third Party Advisory
-
https://github.com/matrix-org/sydent/releases/tag/v2.3.0
Release Sydent 2.3.0 (2021-04-15) · matrix-org/sydent · GitHubRelease Notes;Third Party Advisory
-
https://github.com/matrix-org/sydent/security/advisories/GHSA-mh74-4m5g-fcjx
Malicious users could control the content of invitation emails · Advisory · matrix-org/sydent · GitHubPatch;Third Party Advisory
Jump to