CVE-2019-11340

EPSS 0.47%
Veröffentlicht 19.04.2019 14:29:00
Zuletzt bearbeitet 21.11.2024 04:20:54
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. This occurs because of potentially unwanted behavior in Python, in which an email.utils.parseaddr call on user@bad.example.net@good.example.com returns the user@bad.example.net substring.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Matrix ≫ Sydent Version < 1.0.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.47%	0.636

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/matrix-org/sydent/commit/4e1cfff53429c49c87d5c457a18ed435520044fc

Patch

Third Party Advisory

https://github.com/matrix-org/sydent/compare/7c002cd...09278fb

Patch

Third Party Advisory

https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/

Vendor Advisory

Release Notes

https://twitter.com/matrixdotorg/status/1118934335963500545

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-11340

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-11340

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-11340

EUVD