Sydent Matrix Sydent

Do you want an email whenever new security vulnerabilities are reported in Matrix Sydent?

By the Year

In 2021 there have been 4 vulnerabilities in Matrix Sydent with an average score of 6.0 out of ten. Sydent did not have any published security vulnerabilities last year. That is, 4 more vulnerabilities have already been reported in 2021 as compared to last year.

Year Vulnerabilities Average Score
2021 4 6.00
2020 0 0.00
2019 2 6.70
2018 0 0.00

It may take a day or so for new Sydent vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Matrix Sydent Security Vulnerabilities

Sydent is a reference Matrix identity server

CVE-2021-29431 6.5 - Medium - April 15, 2021

Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources.

Improper Input Validation

Sydent is a reference matrix identity server

CVE-2021-29432 5.7 - Medium - April 15, 2021

Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.

Improper Input Validation

Sydent is a reference Matrix identity server

CVE-2021-29430 7.5 - High - April 15, 2021

Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it makes to remote Matrix homeservers. A malicious homeserver could return a very large response, again leading to memory exhaustion and denial of service. This affects any server which accepts registration requests from untrusted clients. This issue has been patched by releases 89071a1, 0523511, f56eee3. As a workaround request sizes can be limited in an HTTP reverse-proxy. There are no known workarounds for the problem with overlarge responses.

Improper Input Validation

Sydent is a reference Matrix identity server

CVE-2021-29433 4.3 - Medium - April 15, 2021

Sydent is a reference Matrix identity server. In Sydent versions 2.2.0 and prior, sissing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. A patch for the vulnerability is in version 2.3.0. No workarounds are known to exist.

Resource Exhaustion

An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1

CVE-2019-11842 7.5 - High - May 09, 2019

An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.

PRNG

util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions

CVE-2019-11340 5.9 - Medium - April 19, 2019

util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. This occurs because of potentially unwanted behavior in Python, in which an email.utils.parseaddr call on user@bad.example.net@good.example.com returns the user@bad.example.net substring.

Improper Input Validation

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Matrix Sydent or by Matrix? Click the Watch button to subscribe.

Matrix
Vendor

Matrix Sydent
Product

subscribe