This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
{"id": "CVE-2019-20970", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2019-20970", "description": "This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.", "published": "2022-02-25T11:39:32", "modified": "2022-02-25T11:39:32", "cvss": {}, "cvss2": {}, "cvss3": {}, "href": "", "reporter": "candidate", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-02-25T11:39:32", "viewCount": 8, "enchantments": {"backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-202105-13"]}]}, "score": {"value": 1.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-202105-13"]}], "rev": 4}, "vulnersScore": 1.5}, "_state": {"dependencies": 1660004461, "score": 1659855189, "epss": 1679179052}, "_internal": {"score_hash": "5e28115e29bc896b13a708029eebd876"}, "cpe": [], "cpe23": [], "cwe": [], "affectedSoftware": [], "affectedConfiguration": [], "cpeConfiguration": {}, "extraReferences": [], "product_info": []}
{"archlinux": [{"lastseen": "2021-07-28T14:33:54", "description": "Arch Linux Security Advisory ASA-202105-13\n==========================================\n\nSeverity: Medium\nDate : 2021-05-19\nCVE-ID : CVE-2019-20790 CVE-2020-12272\nPackage : opendmarc\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1375\n\nSummary\n=======\n\nThe package opendmarc before version 1.4.1.1-1 is vulnerable to\nmultiple issues including content spoofing and authentication bypass.\n\nResolution\n==========\n\nUpgrade to 1.4.1.1-1.\n\n# pacman -Syu \"opendmarc>=1.4.1.1-1\"\n\nThe problems have been fixed upstream in version 1.4.1.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2019-20790 (authentication bypass)\n\nOpenDMARC before 1.4.1, when used with pypolicyd-spf 2.0.2, allows\nattacks that bypass SPF and DMARC authentication in situations where\nthe HELO field is inconsistent with the MAIL FROM field.\n\n- CVE-2020-12272 (content spoofing)\n\nOpenDMARC before 1.4.1 allows attacks that inject authentication\nresults to provide false information about the domain that originated\nan e-mail message. This is caused by incorrect parsing and\ninterpretation of SPF/DKIM authentication results, as demonstrated by\nthe example.net(.example.com substring.\n\nOpenDMARC has added checking to validate that the domain element in\nboth SPF and DKIM header fields being inspected argument contains only\nvalid domain name characters. This has been fixed as of OpenDMARC 1.4.1\n(March 2021).\n\nImpact\n======\n\nA remote attacker could spoof SPF, DMARC and DKIM authentication\nresults.\n\nReferences\n==========\n\nhttps://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2019-20970\nhttps://bugs.launchpad.net/pypolicyd-spf/+bug/1838816\nhttps://sourceforge.net/p/opendmarc/tickets/235/\nhttps://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf\nhttps://github.com/trusteddomainproject/OpenDMARC/issues/49\nhttps://github.com/trusteddomainproject/OpenDMARC/issues/158\nhttps://github.com/trusteddomainproject/OpenDMARC/commit/d72e1ec0ae6ed3a9827b31be4f268fc528232371\nhttps://github.com/trusteddomainproject/OpenDMARC/commit/9c0db8c12e4488fbf948afc27d8395d0c6bb53bd\nhttps://github.com/trusteddomainproject/OpenDMARC/commit/5f980792546d11bc16dff7f875188ba81989ba33\nhttps://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2020-12272\nhttps://sourceforge.net/p/opendmarc/tickets/237/\nhttps://github.com/trusteddomainproject/OpenDMARC/commit/f3a9a9d4edfaa05102292727d021683f58aa4b6e\nhttps://security.archlinux.org/CVE-2019-20790\nhttps://security.archlinux.org/CVE-2020-12272", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-19T00:00:00", "type": "archlinux", "title": "[ASA-202105-13] opendmarc: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20790", "CVE-2019-20970", "CVE-2020-12272"], "modified": "2021-05-19T00:00:00", "id": "ASA-202105-13", "href": "https://security.archlinux.org/ASA-202105-13", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
CVE-2019-20970
