CVE-2019-11340

EPSS 0.47%
Published 19.04.2019 14:29:00
Last modified 21.11.2024 04:20:54
Source cve@mitre.org
Teams watchlist Login
Open Login

util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. This occurs because of potentially unwanted behavior in Python, in which an email.utils.parseaddr call on user@bad.example.net@good.example.com returns the user@bad.example.net substring.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Matrix ≫ Sydent Version < 1.0.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.47%	0.636

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/matrix-org/sydent/commit/4e1cfff53429c49c87d5c457a18ed435520044fc

Patch

Third Party Advisory

https://github.com/matrix-org/sydent/compare/7c002cd...09278fb

Patch

Third Party Advisory

https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/

Vendor Advisory

Release Notes

https://twitter.com/matrixdotorg/status/1118934335963500545

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-11340

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-11340

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-11340

EUVD