CVE-2019-11340 - OpenCVE

util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. This occurs because of potentially unwanted behavior in Python, in which an email.utils.parseaddr call on user@bad.example.net@good.example.com returns the user@bad.example.net substring.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Matrix	Sydent

Configuration 1 [-]

cpe:2.3:a:matrix:sydent:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/matrix-org/sydent/commit/4e1cfff53429c49c87d5c457a18ed435520044fc
https://github.com/matrix-org/sydent/compare/7c002cd...09278fb
https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/
https://twitter.com/matrixdotorg/status/1118934335963500545

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-19T13:35:36

Updated: 2024-08-04T22:48:09.226Z

Reserved: 2019-04-19T00:00:00

Link: CVE-2019-11340

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-04-19T14:29:00.417

Modified: 2019-04-22T17:52:19.167

Link: CVE-2019-11340

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. This occurs because of potentially unwanted behavior in Python, in which an email.utils.parseaddr call on user@bad.example.net@good.example.com returns the user@bad.example.net substring."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-19T13:35:36", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://twitter.com/matrixdotorg/status/1118934335963500545"}, {"tags": ["x_refsource_MISC"], "url": "https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/commit/4e1cfff53429c49c87d5c457a18ed435520044fc"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/compare/7c002cd...09278fb"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-11340", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. This occurs because of potentially unwanted behavior in Python, in which an email.utils.parseaddr call on user@bad.example.net@good.example.com returns the user@bad.example.net substring."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://twitter.com/matrixdotorg/status/1118934335963500545", "refsource": "MISC", "url": "https://twitter.com/matrixdotorg/status/1118934335963500545"}, {"name": "https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/", "refsource": "MISC", "url": "https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/"}, {"name": "https://github.com/matrix-org/sydent/commit/4e1cfff53429c49c87d5c457a18ed435520044fc", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/commit/4e1cfff53429c49c87d5c457a18ed435520044fc"}, {"name": "https://github.com/matrix-org/sydent/compare/7c002cd...09278fb", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/compare/7c002cd...09278fb"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:48:09.226Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/matrixdotorg/status/1118934335963500545"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matrix-org/sydent/commit/4e1cfff53429c49c87d5c457a18ed435520044fc"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matrix-org/sydent/compare/7c002cd...09278fb"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-11340", "datePublished": "2019-04-19T13:35:36", "dateReserved": "2019-04-19T00:00:00", "dateUpdated": "2024-08-04T22:48:09.226Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:matrix:sydent:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE553235-44B4-4D67-AF42-EC3F61590182", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. This occurs because of potentially unwanted behavior in Python, in which an email.utils.parseaddr call on user@bad.example.net@good.example.com returns the user@bad.example.net substring."}, {"lang": "es", "value": "Vulnerabilidad en archivo util/emailutils.py en Matrix Sydent anterior a las restricciones de registro de la versi\u00f3n 1.0.2 basado en el dominio de correo electr\u00f3nico, si la opci\u00f3n allowed_local_3pids est\u00e1 habilitada. Esto ocurre debido a un comportamiento potencialmente no deseado en Python, en el que una llamada de email.utils.parseaddr en user@bad.example.net@good.example.com devuelve la subcadena user@bad.example.net."}], "id": "CVE-2019-11340", "lastModified": "2019-04-22T17:52:19.167", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-19T14:29:00.417", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/commit/4e1cfff53429c49c87d5c457a18ed435520044fc"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/compare/7c002cd...09278fb"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://twitter.com/matrixdotorg/status/1118934335963500545"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}