{"api_version":"1","generated_at":"2026-04-23T07:01:06+00:00","cve":"CVE-2021-29432","urls":{"html":"https://cve.report/CVE-2021-29432","api":"https://cve.report/api/cve/CVE-2021-29432.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-29432","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-29432"},"summary":{"title":"CVE-2021-29432","description":"Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-04-15 21:15:00","updated_at":"2022-08-03 10:17:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://github.com/matrix-org/sydent/releases/tag/v2.3.0","name":"https://github.com/matrix-org/sydent/releases/tag/v2.3.0","refsource":"MISC","tags":[],"title":"Release Sydent 2.3.0 (2021-04-15) · matrix-org/sydent · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://pypi.org/project/matrix-sydent/","name":"https://pypi.org/project/matrix-sydent/","refsource":"MISC","tags":[],"title":"matrix-sydent · PyPI","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/matrix-org/sydent/security/advisories/GHSA-mh74-4m5g-fcjx","name":"https://github.com/matrix-org/sydent/security/advisories/GHSA-mh74-4m5g-fcjx","refsource":"CONFIRM","tags":[],"title":"Malicious users could control the content of invitation emails · Advisory · matrix-org/sydent · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/matrix-org/sydent/commit/4469d1d42b2b1612b70638224c07e19623039c42","name":"https://github.com/matrix-org/sydent/commit/4469d1d42b2b1612b70638224c07e19623039c42","refsource":"MISC","tags":[],"title":"Randomise multipart boundary, and include mxids in invite email notifs · matrix-org/sydent@4469d1d · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-29432","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29432","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"29432","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"matrix","cpe5":"sydent","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-29432","qid":"982746","title":"Python (pip) Security Update for matrix-sydent (GHSA-mh74-4m5g-fcjx)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-29432","STATE":"PUBLIC","TITLE":"Malicious users could control the content of invitation emails"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"sydent","version":{"version_data":[{"version_value":"< 2.3.0"}]}}]},"vendor_name":"matrix-org"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20 Improper Input Validation"}]}]},"references":{"reference_data":[{"name":"https://pypi.org/project/matrix-sydent/","refsource":"MISC","url":"https://pypi.org/project/matrix-sydent/"},{"name":"https://github.com/matrix-org/sydent/releases/tag/v2.3.0","refsource":"MISC","url":"https://github.com/matrix-org/sydent/releases/tag/v2.3.0"},{"name":"https://github.com/matrix-org/sydent/security/advisories/GHSA-mh74-4m5g-fcjx","refsource":"CONFIRM","url":"https://github.com/matrix-org/sydent/security/advisories/GHSA-mh74-4m5g-fcjx"},{"name":"https://github.com/matrix-org/sydent/commit/4469d1d42b2b1612b70638224c07e19623039c42","refsource":"MISC","url":"https://github.com/matrix-org/sydent/commit/4469d1d42b2b1612b70638224c07e19623039c42"}]},"source":{"advisory":"GHSA-mh74-4m5g-fcjx","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-04-15 21:15:00","lastModifiedDate":"2022-08-03 10:17:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":5.7,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.1,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:matrix:sydent:*:*:*:*:*:*:*:*","versionEndExcluding":"2.3.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"29432","Ordinal":"204636","Title":"CVE-2021-29432","CVE":"CVE-2021-29432","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"29432","Ordinal":"1","NoteData":"Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"29432","Ordinal":"2","NoteData":"2021-04-15","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"29432","Ordinal":"3","NoteData":"2021-04-15","Type":"Other","Title":"Modified"}]}}}