CVE-2023-38686Improper Certificate Validation in Sydent

CWE-295Improper Certificate Validation5 documents4 sources
Severity
5.3MEDIUMNVD
CNA9.3
EPSS
0.1%
top 82.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Matrix-org SydentMatrix Sydent
Timeline
PublishedAug 4

Description

Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if configured to send emails using TLS, Sydent does not verify SMTP servers' certificates. This makes Sydent's emails vulnerable to interception via a man-in-the-middle (MITM) attack. Attackers with privileged access to the network can intercept room invitations and address confirmation emails. This is patched in Sydent 2.5.6. When patching, make sure that Sydent trusts the certificate of the server it i

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

NVDmatrix/sydent< 2.5.6
CVEListV5matrix-org/sydent< 2.5.6

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
CVEList
Sydent does not verify email server certificates2023-08-04
OSV
CVE-2023-38686: Sydent is an identity server for the Matrix communications protocol2023-08-04
OSV
Sydent does not verify email server certificates2023-07-31
GHSA
Sydent does not verify email server certificates2023-07-31
CVE-2023-38686 — Improper Certificate Validation | cvebase