CVE-2021-29430Improper Input Validation in Sydent

CWE-20Improper Input ValidationCWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling5 documents4 sources
Severity
7.5HIGHNVD
EPSS
1.4%
top 19.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Matrix-org SydentMatrix Sydent
Timeline
PublishedApr 15
Latest updateApr 19

Description

Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it makes to remote Matrix homeservers. A malicious homeserver could return a very large response, again leading to memory exhaustion and denial of service. This affects any server which accepts registration

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDmatrix/sydent< 2.3.0
CVEListV5matrix-org/sydent< 2.3.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Sydent vulnerable to denial of service attack via memory exhaustion2021-04-19
GHSA
Sydent vulnerable to denial of service attack via memory exhaustion2021-04-19
OSV
CVE-2021-29430: Sydent is a reference Matrix identity server2021-04-15
CVEList
Denial of service attack via memory exhaustion2021-04-15
CVE-2021-29430 — Improper Input Validation in Sydent | cvebase