CVE-2021-29431

SSRF in Sydent due to missing validation of hostnames

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources.

Sydent es un servidor de identidad Matrix de referencia. Sydent puede ser inducido a enviar peticiones HTTP GET hacia sistemas internos, debido a una falta de comprobación de parámetros o la lista negra de direcciones IP. No es posible exfiltrar datos o controlar los encabezados de peticiones, pero podría ser posible utilizar el ataque para llevar a cabo una enumeración de puertos internos. Este problema ha sido abordado en 9e57334, 8936925, 3d531ed, 0f00412. Una posible solución alternativa sería utilizar un firewall para garantizar que Sydent no pueda acceder a los recursos HTTP internos

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-30 CVE Reserved
2021-04-15 CVE Published
2024-08-03 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (7)

URL	Tag	Source
https://github.com/matrix-org/sydent/releases/tag/v2.3.0	Release Notes
https://pypi.org/project/matrix-sydent	Product

URL	Date	SRC

URL	Date	SRC
https://github.com/matrix-org/sydent/commit/0f00412017f25619bc36c264b29ea96808bf310a	2021-04-22
https://github.com/matrix-org/sydent/commit/3d531ed50d2fd41ac387f36d44d3fb2c62dd22d3	2021-04-22
https://github.com/matrix-org/sydent/commit/8936925f561b0c352c2fa922d5097d7245aad00a	2021-04-22
https://github.com/matrix-org/sydent/commit/9e573348d81df8191bbe8c266c01999c9d57cd5f	2021-04-22
https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4	2021-04-22

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Matrix Search vendor "Matrix"		Sydent Search vendor "Matrix" for product "Sydent"				< 2.3.0 Search vendor "Matrix" for product "Sydent" and version " < 2.3.0"		-		Affected