| Vulnerability Name: | CVE-2019-11340 (CCN-160071) | ||||||||||||
| Assigned: | 2019-04-18 | ||||||||||||
| Published: | 2019-04-18 | ||||||||||||
| Updated: | 2019-04-22 | ||||||||||||
| Summary: | util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. This occurs because of potentially unwanted behavior in Python, in which an email.utils.parseaddr call on user@bad.example.net@good.example.com returns the user@bad.example.net substring. | ||||||||||||
| CVSS v3 Severity: | 5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) 5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-20 | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2019-11340 Source: XF Type: UNKNOWN matrix-sydent-cve201911340-sec-bypass(160071) Source: MISC Type: Patch, Third Party Advisory https://github.com/matrix-org/sydent/commit/4e1cfff53429c49c87d5c457a18ed435520044fc Source: MISC Type: Patch, Third Party Advisory https://github.com/matrix-org/sydent/compare/7c002cd...09278fb Source: CCN Type: Matrix Blog, 04/18/2019 Security Update: Sydent 1.0.2 Source: MISC Type: Release Notes, Vendor Advisory https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/ Source: CCN Type: Matrix Web site sydent Source: MISC Type: Third Party Advisory https://twitter.com/matrixdotorg/status/1118934335963500545 Source: CCN Type: WhiteSource Vulnerability Database CVE-2019-11340 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||