CVE-2021-29431 - OpenCVE

Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Matrix	Sydent

Configuration 1 [-]

cpe:2.3:a:matrix:sydent:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a
https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3
https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a
https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f
https://github.com/matrix-org/sydent/releases/tag/v2.3.0
https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4
https://pypi.org/project/matrix-sydent/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-04-15T21:00:16

Updated: 2024-08-03T22:02:51.856Z

Reserved: 2021-03-30T00:00:00

Link: CVE-2021-29431

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-04-15T21:15:17.520

Modified: 2021-04-22T15:27:01.050

Link: CVE-2021-29431

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "sydent", "vendor": "matrix-org", "versions": [{"status": "affected", "version": "< 2.3.0"}]}], "descriptions": [{"lang": "en", "value": "Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "{\"CWE-20\":\"Improper Input Validation\"}", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-15T21:00:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/matrix-sydent/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/releases/tag/v2.3.0"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a"}], "source": {"advisory": "GHSA-9jhm-8m8c-c3f4", "discovery": "UNKNOWN"}, "title": "SSRF in Sydent due to missing validation of hostnames", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-29431", "STATE": "PUBLIC", "TITLE": "SSRF in Sydent due to missing validation of hostnames"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "sydent", "version": {"version_data": [{"version_value": "< 2.3.0"}]}}]}, "vendor_name": "matrix-org"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-20\":\"Improper Input Validation\"}"}]}, {"description": [{"lang": "eng", "value": "CWE-918 Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://pypi.org/project/matrix-sydent/", "refsource": "MISC", "url": "https://pypi.org/project/matrix-sydent/"}, {"name": "https://github.com/matrix-org/sydent/releases/tag/v2.3.0", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/releases/tag/v2.3.0"}, {"name": "https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4", "refsource": "CONFIRM", "url": "https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4"}, {"name": "https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f"}, {"name": "https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a"}, {"name": "https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3"}, {"name": "https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a"}]}, "source": {"advisory": "GHSA-9jhm-8m8c-c3f4", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:02:51.856Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pypi.org/project/matrix-sydent/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matrix-org/sydent/releases/tag/v2.3.0"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-29431", "datePublished": "2021-04-15T21:00:16", "dateReserved": "2021-03-30T00:00:00", "dateUpdated": "2024-08-03T22:02:51.856Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:matrix:sydent:*:*:*:*:*:*:*:*", "matchCriteriaId": "C77C5A80-7302-49F8-8DAA-37B269691C9C", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources."}, {"lang": "es", "value": "Sydent es un servidor de identidad Matrix de referencia. Sydent puede ser inducido a enviar peticiones HTTP GET hacia sistemas internos, debido a una falta de comprobaci\u00f3n de par\u00e1metros o la lista negra de direcciones IP. No es posible exfiltrar datos o controlar los encabezados de peticiones, pero podr\u00eda ser posible utilizar el ataque para llevar a cabo una enumeraci\u00f3n de puertos internos. Este problema ha sido abordado en 9e57334, 8936925, 3d531ed, 0f00412. Una posible soluci\u00f3n alternativa ser\u00eda utilizar un firewall para garantizar que Sydent no pueda acceder a los recursos HTTP internos"}], "id": "CVE-2021-29431", "lastModified": "2021-04-22T15:27:01.050", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-04-15T21:15:17.520", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/releases/tag/v2.3.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://pypi.org/project/matrix-sydent/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}