Miggo Logo

CVE-2021-29433: Sydent DoS (via resource exhaustion) due to improper input validation

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.51119%
Published
4/16/2021
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
matrix-sydentpip< 2.3.02.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input validation in three key areas: 1) EmailServlet's email parameter handling lacked length checks (added MAX_EMAIL_ADDRESS_LENGTH in patch), 2) StoreInviteServlet's address parameter had no size restrictions, and 3) client_secret validation originally didn't enforce maximum length (added 255 char limit in patch). These omissions allowed attackers to submit arbitrarily large values, causing disk/memory exhaustion through excessive storage (tokens) and processing (email sending). The patch explicitly adds these validations in the identified functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Missin* input v*li**tion o* som* p*r*m*t*rs on t** *n*points us** to *on*irm t*ir*-p*rty i**nti*i*rs *oul* **us* *x**ssiv* us* o* *isk sp*** *n* m*mory l***in* to r*sour** *x**ustion. ### P*t***s *ix** *y *******. ### *or mor* in*orm*t

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion in t*r** k*y *r**s: *) *m*ilS*rvl*t's *m*il p*r*m*t*r **n*lin* l**k** l*n*t* ****ks (***** M*X_*M*IL_***R*SS_L*N*T* in p*t**), *) Stor*Invit*S*rvl*t's ***r*ss p*r*m*t*r *** no siz* r*stri*tions, *