CVE-2021-29433: Sydent DoS (via resource exhaustion) due to improper input validation
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.51119%
CWE
Published
4/16/2021
Updated
9/24/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
matrix-sydent | pip | < 2.3.0 | 2.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing input validation in three key areas: 1) EmailServlet's email parameter handling lacked length checks (added MAX_EMAIL_ADDRESS_LENGTH in patch), 2) StoreInviteServlet's address parameter had no size restrictions, and 3) client_secret validation originally didn't enforce maximum length (added 255 char limit in patch). These omissions allowed attackers to submit arbitrarily large values, causing disk/memory exhaustion through excessive storage (tokens) and processing (email sending). The patch explicitly adds these validations in the identified functions.