Lucene search

K
nvd[email protected]NVD:CVE-2023-27043
HistoryApr 19, 2023 - 12:15 a.m.

CVE-2023-27043

2023-04-1900:15:07
CWE-20
web.nvd.nist.gov
11
python
email module
vulnerability
parsing
special characters
email address verification
rfc2822
protection mechanism
bypass
application
access
domain
signup

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

5.7

Confidence

High

EPSS

0.002

Percentile

58.7%

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Affected configurations

Nvd
Node
pythonpythonRange2.7.18
OR
pythonpythonRange3.03.11
VendorProductVersionCPE
pythonpython*cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

References

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

5.7

Confidence

High

EPSS

0.002

Percentile

58.7%