CVE-2023-27582

Опубликовано: 13 мар. 2023

Источник: nvd

CVSS3: 9.1

CVSS3: 9.8

EPSS Низкий

Описание

maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds.

Ссылки

https://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399a
Patch
https://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9c
Patch
https://github.com/foxcpp/maddy/releases/tag/v0.6.3
Release Notes
https://github.com/foxcpp/maddy/security/advisories/GHSA-4g76-w3xw-2x6w
Patch
Vendor Advisory
https://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399a
Patch
https://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9c
Patch
https://github.com/foxcpp/maddy/releases/tag/v0.6.3
Release Notes
https://github.com/foxcpp/maddy/security/advisories/GHSA-4g76-w3xw-2x6w
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:maddy_project:maddy:*:*:*:*:*:*:*:*

Версия от 0.2.0 (включая) до 0.6.3 (исключая)

EPSS

Процентиль: 34%

0.00138

Низкий

9.1 Critical

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-287

Связанные уязвимости

GHSA-4g76-w3xw-2x6w

CVSS3: 9.1

github

почти 3 года назад

Full authentication bypass if SASL authorization username is specified

EPSS

Процентиль: 34%

0.00138

Низкий

9.1 Critical

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-287