CVE-2021-29431 - OpenCVE

Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Matrix	Sydent

Configuration 1 [-]

cpe:2.3:a:matrix:sydent:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a	Patch Third Party Advisory
https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3	Patch Third Party Advisory
https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a	Patch Third Party Advisory
https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f	Patch Third Party Advisory
https://github.com/matrix-org/sydent/releases/tag/v2.3.0	Release Notes Third Party Advisory
https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4	Patch Third Party Advisory
https://pypi.org/project/matrix-sydent/	Product Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-04-15T21:00:16

Updated: 2021-04-15T21:00:16

Reserved: 2021-03-30T00:00:00

Link: CVE-2021-29431

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-04-15T21:15:17.520

Modified: 2021-04-22T15:27:01.050

Link: CVE-2021-29431

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "sydent", "vendor": "matrix-org", "versions": [{"status": "affected", "version": "< 2.3.0"}]}], "descriptions": [{"lang": "en", "value": "Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "{\"CWE-20\":\"Improper Input Validation\"}", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-15T21:00:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/matrix-sydent/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/releases/tag/v2.3.0"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a"}], "source": {"advisory": "GHSA-9jhm-8m8c-c3f4", "discovery": "UNKNOWN"}, "title": "SSRF in Sydent due to missing validation of hostnames", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-29431", "STATE": "PUBLIC", "TITLE": "SSRF in Sydent due to missing validation of hostnames"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "sydent", "version": {"version_data": [{"version_value": "< 2.3.0"}]}}]}, "vendor_name": "matrix-org"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-20\":\"Improper Input Validation\"}"}]}, {"description": [{"lang": "eng", "value": "CWE-918 Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://pypi.org/project/matrix-sydent/", "refsource": "MISC", "url": "https://pypi.org/project/matrix-sydent/"}, {"name": "https://github.com/matrix-org/sydent/releases/tag/v2.3.0", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/releases/tag/v2.3.0"}, {"name": "https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4", "refsource": "CONFIRM", "url": "https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4"}, {"name": "https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f"}, {"name": "https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a"}, {"name": "https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3"}, {"name": "https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a", "refsource": "MISC", "url": "https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a"}]}, "source": {"advisory": "GHSA-9jhm-8m8c-c3f4", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-29431", "datePublished": "2021-04-15T21:00:16", "dateReserved": "2021-03-30T00:00:00", "dateUpdated": "2021-04-15T21:00:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:matrix:sydent:*:*:*:*:*:*:*:*", "matchCriteriaId": "C77C5A80-7302-49F8-8DAA-37B269691C9C", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources."}, {"lang": "es", "value": "Sydent es un servidor de identidad Matrix de referencia. Sydent puede ser inducido a enviar peticiones HTTP GET hacia sistemas internos, debido a una falta de comprobaci\u00f3n de par\u00e1metros o la lista negra de direcciones IP. No es posible exfiltrar datos o controlar los encabezados de peticiones, pero podr\u00eda ser posible utilizar el ataque para llevar a cabo una enumeraci\u00f3n de puertos internos. Este problema ha sido abordado en 9e57334, 8936925, 3d531ed, 0f00412. Una posible soluci\u00f3n alternativa ser\u00eda utilizar un firewall para garantizar que Sydent no pueda acceder a los recursos HTTP internos"}], "id": "CVE-2021-29431", "lastModified": "2021-04-22T15:27:01.050", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-04-15T21:15:17.520", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/releases/tag/v2.3.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://pypi.org/project/matrix-sydent/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}