CVE-2021-29432 — Malicious users could abuse Sydent to control the content of invitation emails

Description

Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.

How to fix CVE-2021-29432

To remediate CVE-2021-29432, upgrade the affected package to a fixed version below.

—upgrade to 2.3.0 or later
—upgrade to 4469d1d42b2b1612b70638224c07e19623039c42 or later

Is CVE-2021-29432 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.3.0
from 0, < 4469d1d42b2b1612b70638224c07e19623039c42 | from 0, < 2.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29432
PATCHpypi.org/project/matrix-sydent/
WEBgithub.com/matrix-org/sydent/commit/4469d1d42b2b1612b70638224c07e19623039c42
WEBgithub.com/matrix-org/sydent/releases/tag/v2.3.0