CVE-2021-29431

Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a	Patch Third Party Advisory
https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3	Patch Third Party Advisory
https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a	Patch Third Party Advisory
https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f	Patch Third Party Advisory
https://github.com/matrix-org/sydent/releases/tag/v2.3.0	Release Notes Third Party Advisory
https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4	Patch Third Party Advisory
https://pypi.org/project/matrix-sydent/	Product Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:matrix:sydent:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-04-15 21:15

Updated : 2024-02-04 21:47

NVD link : CVE-2021-29431

Mitre link : CVE-2021-29431

CVE.ORG link : CVE-2021-29431

JSON object : View

Products Affected

matrix

sydent

CWE

CWE-20

Improper Input Validation

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2021-29431", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2021-04-15T21:15:17.520", "references": [{"url": "https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/matrix-org/sydent/releases/tag/v2.3.0", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://pypi.org/project/matrix-sydent/", "tags": ["Product", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources."}, {"lang": "es", "value": "Sydent es un servidor de identidad Matrix de referencia. Sydent puede ser inducido a enviar peticiones HTTP GET hacia sistemas internos, debido a una falta de comprobaci\u00f3n de par\u00e1metros o la lista negra de direcciones IP. No es posible exfiltrar datos o controlar los encabezados de peticiones, pero podr\u00eda ser posible utilizar el ataque para llevar a cabo una enumeraci\u00f3n de puertos internos. Este problema ha sido abordado en 9e57334, 8936925, 3d531ed, 0f00412. Una posible soluci\u00f3n alternativa ser\u00eda utilizar un firewall para garantizar que Sydent no pueda acceder a los recursos HTTP internos"}], "lastModified": "2021-04-22T15:27:01.050", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:matrix:sydent:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C77C5A80-7302-49F8-8DAA-37B269691C9C", "versionEndExcluding": "2.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}