Matrix-Org Sydent vulnerabilities

5 known vulnerabilities affecting matrix-org/sydent.

Total CVEs

5

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH1MEDIUM4

Vulnerabilities

Page 1 of 1

CVE-2023-38686MEDIUMCVSS 5.3fixed in 2.5.62023-08-04

CVE-2023-38686 [MEDIUM] CWE-295 CVE-2023-38686: Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if conf Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if configured to send emails using TLS, Sydent does not verify SMTP servers' certificates. This makes Sydent's emails vulnerable to interception via a man-in-the-middle (MITM) attack. Attackers with privileged access to the network can intercept room invitat

CVE-2021-29430HIGHCVSS 7.5fixed in 2.3.02021-04-15

CVE-2021-29430 [HIGH] CWE-20 CVE-2021-29430: Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it makes to remote Matrix homeservers. A malicious homeserve

CVE-2021-29431MEDIUMCVSS 6.5fixed in 2.3.02021-04-15

CVE-2021-29431 [MEDIUM] CWE-20 CVE-2021-29431: Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to int Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been add

CVE-2021-29433MEDIUMCVSS 4.3≤ 2.2.02021-04-15

CVE-2021-29433 [MEDIUM] CWE-20 CVE-2021-29433: Sydent is a reference Matrix identity server. In Sydent versions 2.2.0 and prior, sissing input vali Sydent is a reference Matrix identity server. In Sydent versions 2.2.0 and prior, sissing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. A patch for the vulnerability is in version 2.3.0. No workarounds are known to exist.

CVE-2021-29432MEDIUMCVSS 5.7fixed in 2.3.02021-04-15

CVE-2021-29432 [MEDIUM] CWE-20 CVE-2021-29432: Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitr Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.