CVE-2023-27043

Опубликовано: 19 апр. 2023

Источник: redhat

CVSS3: 5.3

Описание

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Отчет

Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 6	python	Out of support scope
Red Hat Enterprise Linux 7	python	Out of support scope
Red Hat Enterprise Linux 7	python3	Out of support scope
Red Hat Enterprise Linux 8	python27:2.7/python2	Will not fix
Red Hat Enterprise Linux 8	python36:3.6/python36	Not affected
Red Hat Enterprise Linux 8	python38:3.8/python38	Not affected
Red Hat Software Collections	rh-python38-python	Will not fix
Red Hat Enterprise Linux 8	python3	Fixed	RHSA-2024:0256	15.01.2024
Red Hat Enterprise Linux 8	python39	Fixed	RHSA-2024:2985	22.05.2024
Red Hat Enterprise Linux 8	python39-devel	Fixed	RHSA-2024:2985	22.05.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=2196183python: Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple

5.3 Medium

CVSS3