GitHub Advisory DatabaseGHSA-MH74-4M5G-FCJXMalicious users could abuse Sydent to control the content of invitation emails
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
30.7%
Impact
A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example.
Patches
Fixed in 4469d1d, 6b405a8, 65a6e91.
Note that these patches include changes to the default email templates. If these templates have been locally modified, they must also be updated.
For more information
If you have any questions or comments about this advisory, email us at [email protected].
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| matrix-sydent | lt | 2.3.0 |
References
github.com/advisories/GHSA-mh74-4m5g-fcjx
github.com/matrix-org/sydent/commit/4469d1d42b2b1612b70638224c07e19623039c42
github.com/matrix-org/sydent/releases/tag/v2.3.0
github.com/matrix-org/sydent/security/advisories/GHSA-mh74-4m5g-fcjx
nvd.nist.gov/vuln/detail/CVE-2021-29432
pypi.org/project/matrix-sydent/
Related
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
30.7%