Python Email Header Injection Vulnerability (Aug 2024) - Linux

2024-08-0200:00:00

plugins.openvas.org

python

header injection

vulnerability

linux

greenbone ag

cve-2024-6923

email module

security vulnerability

CVSS3

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

AI Score

5.5

Confidence

High

EPSS

Percentile

13.7%

JSON

Python is prone to an email header injection vulnerability in
the email module.

# SPDX-FileCopyrightText: 2024 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:python:python";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.114731");
  script_version("2024-08-14T05:05:52+0000");
  script_tag(name:"last_modification", value:"2024-08-14 05:05:52 +0000 (Wed, 14 Aug 2024)");
  script_tag(name:"creation_date", value:"2024-08-02 13:10:48 +0000 (Fri, 02 Aug 2024)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:P/A:N");

  script_cve_id("CVE-2024-6923");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Python Email Header Injection Vulnerability (Aug 2024) - Linux");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2024 Greenbone AG");
  script_family("General");
  script_dependencies("gb_python_consolidation.nasl", "os_detection.nasl");
  script_mandatory_keys("python/detected", "Host/runs_unixoide");

  script_tag(name:"summary", value:"Python is prone to an email header injection vulnerability in
  the email module.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"The email module didn't properly quote newlines for email
  headers when serializing an email message allowing for header injection when an email is
  serialized.");

  # TODO: As of 2024-08-12 only 3.12.5 got released with a fix, the relevant changelog entry for the
  # "Library" part includes a reference to the fix:
  # > gh-121650: email headers with embedded newlines are now quoted on output. The generator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650.)
  # which can / should be checked against newer releases of the 3.11.x or earlier branches for any
  # possible fixes
  script_tag(name:"affected", value:"Python versions prior to 3.12.5.");

  script_tag(name:"solution", value:"Update to version 3.12.5 or later.");

  script_xref(name:"URL", value:"https://mail.python.org/archives/list/[email protected]/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/");
  script_xref(name:"URL", value:"https://github.com/python/cpython/issues/121650");
  script_xref(name:"URL", value:"https://github.com/python/cpython/pull/122233");
  script_xref(name:"URL", value:"https://docs.python.org/release/3.12.5/whatsnew/changelog.html#library");
  script_xref(name:"URL", value:"https://osv.dev/vulnerability/PSF-2024-8");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE,
                                          version_regex: "^[0-9]+\.[0-9]+\.[0-9]+"))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_is_less(version: version, test_version: "3.12.5")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "3.12.5", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);