Sydent does not verify email server certificates
CVE-2023-38686

9.3CRITICAL

Key Information:

Vendor: Matrix-org
Status: Sydent
Vendor: CVE Published:; 4 August 2023

What is CVE-2023-38686?

Sydent, the identity server for the Matrix communications protocol, exhibits a vulnerability prior to version 2.5.6 due to its failure to verify SMTP server certificates when TLS is configured for sending emails. This flaw allows potential man-in-the-middle (MITM) attacks where attackers can intercept sensitive email communications, including room invitations and address confirmations, if they command privileged access to the network. To mitigate this risk, users must upgrade to Sydent version 2.5.6 or later and ensure that the server's certificate is correctly trusted. Attention is also vital for those using self-signed certificates; it is imperative to add the relevant certificates to the operating system's trust store. Until patching is applied, setting the SMTP server to a controlled, non-routable address can serve as a temporary workaround to prevent email transmission.

Affected Version(s)

sydent < 2.5.6

References

https://github.com/matrix-org/sydent/security/advisories/...

x_refsource_CONFIRM

https://github.com/python/cpython/issues/91826

x_refsource_MISC

https://github.com/matrix-org/sydent/pull/574

x_refsource_MISC

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 4, 2023
Vulnerability Reserved
Jul 24, 2023

Matrix-org

What is CVE-2023-38686?

Affected Version(s)

References

CVSS V3.1

Timeline