CVE-2021-29432: 
Python vulnerability analysis and mitigation

Sydent, a reference matrix identity server, contained a vulnerability (CVE-2021-29432) that allowed malicious users to abuse the system to send arbitrary emails from the Sydent email address. The vulnerability was discovered and disclosed in April 2021, affecting versions 2.2.0 and earlier of the matrix-sydent package (GitHub Advisory).

The vulnerability stemmed from insufficient validation and sanitization of email content in the invitation email system. This allowed attackers to manipulate the content of invitation emails sent through the Sydent server. The issue was fixed by implementing proper input validation and randomization of multipart boundaries in email templates (GitHub Release).

The vulnerability could be exploited to construct plausible phishing emails, as attackers could send arbitrary emails that appeared to come from the legitimate Sydent email address. This posed a significant social engineering risk as the malicious emails would have legitimate domain authority (GitHub Advisory).

The vulnerability was patched in version 2.3.0 of Sydent, released on April 15, 2021. The fix included changes to the default email templates and implementation of proper input validation. Server administrators were advised to update as soon as possible and ensure any custom email templates were updated in line with the security changes. No workarounds were available for unpatched systems (GitHub Release).