CVE-2023-33185

2023-05-2621:15:20

CWE-347

[email protected]

web.nvd.nist.gov

django-ses

django

library

mail backend

aws simple email service

cve-2023-33185

security vulnerability

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.9%

JSON

Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the SESEventWebhookView class intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates. This issue was patched in version 3.5.0.

Affected configurations

Vulners

NVD

Node

django-sesdjango_sesRange<3.5.0

CPENameOperatorVersion
django-ses_project:django-sesdjango-ses project django-seslt3.5.0

CPE	Name	Operator	Version
django-ses_project:django-ses	django-ses project django-ses	lt	3.5.0

CNA Affected

[
  {
    "vendor": "django-ses",
    "product": "django-ses",
    "versions": [
      {
        "version": "< 3.5.0",
        "status": "affected"
      }
    ]
  }
]