CVE-2023-33185

Опубликовано: 26 мая 2023

Источник: nvd

CVSS3: 4.6

CVSS3: 5.4

EPSS Низкий

Описание

Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the SESEventWebhookView class intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates. This issue was patched in version 3.5.0.

Ссылки

https://github.com/django-ses/django-ses/blob/3d627067935876487f9938310d5e1fbb249a7778/CVE/001-cert-url-signature-verification.md
Exploit
Third Party Advisory
https://github.com/django-ses/django-ses/commit/b71b5f413293a13997b6e6314086cb9c22629795
Patch
https://github.com/django-ses/django-ses/security/advisories/GHSA-qg36-9jxh-fj25
Vendor Advisory
https://github.com/django-ses/django-ses/blob/3d627067935876487f9938310d5e1fbb249a7778/CVE/001-cert-url-signature-verification.md
Exploit
Third Party Advisory
https://github.com/django-ses/django-ses/commit/b71b5f413293a13997b6e6314086cb9c22629795
Patch
https://github.com/django-ses/django-ses/security/advisories/GHSA-qg36-9jxh-fj25
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:django-ses_project:django-ses:*:*:*:*:*:*:*:*

Версия до 3.5.0 (исключая)

EPSS

Процентиль: 17%

0.00055

Низкий

4.6 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-347

Связанные уязвимости

GHSA-qg36-9jxh-fj25

CVSS3: 4.6

github

больше 2 лет назад

Incorrect signature verification in django-ses

EPSS

Процентиль: 17%

0.00055

Низкий

4.6 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-347