CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
58.7%
The email module of Python through 3.11.3 incorrectly parses e-mail
addresses that contain a special character. The wrong portion of an RFC2822
header is identified as the value of the addr-spec. In some applications,
an attacker can bypass a protection mechanism in which application access
is granted only after verifying receipt of e-mail to a specific domain
(e.g., only @company.example.com addresses may be used for signup). This
occurs in email/_parseaddr.py in recent versions of Python.
Author | Note |
---|---|
mdeslaur | As of 2024-07-18, the new pull requests are: https://github.com/python/cpython/pull/108250 https://github.com/python/cpython/pull/111116 |
allenpthuang | as of 2024-04-11, one of the pull requests has been merged (pull/111116) while the bug (gh-102988) remains open. |
mdeslaur | as of 2024-07-18, the fixes haven’t been backported to the stable releases. See gh-102988 bug. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python2.7 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | python2.7 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | python2.7 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | python2.7 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | python2.7 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | python3.10 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | python3.11 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | python3.4 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | python3.5 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | python3.5 | < any | UNKNOWN |
github.com/python/cpython/pull/102990
github.com/python/cpython/pull/105127
launchpad.net/bugs/cve/CVE-2023-27043
nvd.nist.gov/vuln/detail/CVE-2023-27043
python-security.readthedocs.io/vuln/email-parseaddr-realname.html
security-tracker.debian.org/tracker/CVE-2023-27043
www.cve.org/CVERecord?id=CVE-2023-27043
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
58.7%