7.5
CWE
770 20 400
Advisory Published
Advisory Published
Updated

CVE-2021-29430: Denial of service attack via memory exhaustion

First published: Thu Apr 15 2021(Updated: )

### Impact Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to disk space exhaustion and denial of service. Sydent also does not limit response size for requests it makes to remote Matrix homeservers. A malicious homeserver could return a very large response, again leading to memory exhaustion and denial of service. This affects any server which accepts registration requests from untrusted clients. ### Patches Patched by 89071a1, 0523511, f56eee3. ### Workarounds Request sizes can be limited in an HTTP reverse-proxy. There are no known workarounds for the problem with overlarge responses. ### For more information If you have any questions or comments about this advisory, email us at security@matrix.org.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Matrix Sydent<2.3.0
pip/matrix-sydent<2.3.0
2.3.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2021-29430?

    CVE-2021-29430 is a vulnerability in the Matrix Sydent identity server that allows a malicious user to send very large HTTP requests, causing memory exhaustion and denial of service.

  • How severe is CVE-2021-29430?

    The severity of CVE-2021-29430 is high, with a severity score of 7.5.

  • What software is affected by CVE-2021-29430?

    Matrix Sydent versions up to and excluding 2.3.0 are affected by CVE-2021-29430.

  • How can the memory exhaustion and denial of service attack be prevented?

    To prevent the memory exhaustion and denial of service attack, it is recommended to update Matrix Sydent to a version that includes the fixed commits: 0523511d2fb40f2738f8a8549868f44b96e5dab7, 89071a1a754c69a50deac89e6bb74002d4cda19d, and f56eee315b6c44fdd9f6aa785cc2ec744a594428.

  • Is there any additional information available for CVE-2021-29430?

    For additional information on CVE-2021-29430, you can refer to the following references: [link1], [link2], [link3].

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203