Описание
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
A flaw was found in the imaplib module in the Python standard library. The imaplib module does not reject control characters, such as newlines, in user-controlled input passed to IMAP commands. This issue allows an attacker to inject additional commands to be executed in the IMAP server.
Отчет
To exploit this issue, an attacker needs to have the privileges required to send malicious input to an application that sends IMAP commands to a server. Additionally, this flaw can allow attackers to manipulate the state of the mailbox (e.g., delete emails, move folders, flag messages) and to potentially read metadata or specific email content, but it does not allow arbitrary code execution or OS command injection. Due to these reasons, this issue has been rated with a moderate severity.
Меры по смягчению последствий
To mitigate this vulnerability, ensure that no data passed to the imaplib module contains newline or carriage return characters.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | firefox | Not affected | ||
| Red Hat Enterprise Linux 10 | python3.14 | Affected | ||
| Red Hat Enterprise Linux 6 | python | Affected | ||
| Red Hat Enterprise Linux 7 | firefox | Not affected | ||
| Red Hat Enterprise Linux 7 | python | Affected | ||
| Red Hat Enterprise Linux 7 | python3 | Affected | ||
| Red Hat Enterprise Linux 8 | firefox | Not affected | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected | ||
| Red Hat Enterprise Linux 8 | python39-devel:3.9/python39 | Not affected | ||
| Red Hat Enterprise Linux 9 | firefox | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.1 High
CVSS3
Связанные уязвимости
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
The imaplib module, when passed a user-controlled command, can have ad ...
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
EPSS
7.1 High
CVSS3