GHSA-pr2m-px7j-xg65

Опубликовано: 13 мар. 2024

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

aiosmtpd vulnerable to SMTP smuggling

Summary

aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue also existed in other SMTP software like Postfix (https://www.postfix.org/smtp-smuggling.html).

Details

Detailed information on SMTP smuggling can be found in the full blog post (https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/) or on the Postfix homepage (https://www.postfix.org/smtp-smuggling.html). (and soon on the official website https://smtpsmuggling.com/)

Impact

With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances.

Ссылки

Пакеты

Наименование

aiosmtpd

pip

Затронутые версииВерсия исправления

< 1.4.5

1.4.5

EPSS

Процентиль: 67%

0.0054

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2024-27305

Дефекты

CWE-345

Связанные уязвимости

CVE-2024-27305

CVSS3: 5.3

ubuntu

почти 2 года назад

aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.