The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | LOW |
| Availability Impact | NONE |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-20
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary |
en
CWE-20
en
CWE-1286
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| fedoraproject | fedora | 38 | <built-in method update of dict object at 0x7b06bedee640> | Operating System |
| fedoraproject | fedora | 39 | <built-in method update of dict object at 0x7b070b1db0c0> | Operating System |
| netapp | active_iq_unified_manager | - | <built-in method update of dict object at 0x7b0704960b80> | Application |
| netapp | active_iq_unified_manager | - | <built-in method update of dict object at 0x7b06ff6f5540> | Application |
| netapp | ontap_select_deploy_administration_utility | - | <built-in method update of dict object at 0x7b06bededb00> | Application |
| python | python | * | <built-in method update of dict object at 0x7b070c88a440> | Application |
| python | python | * | <built-in method update of dict object at 0x7b06bedeef80> | Application |
| python | python | * | <built-in method update of dict object at 0x7b067df26b80> | Application |
| python | python | * | <built-in method update of dict object at 0x7b070b1dbe80> | Application |
| python | python | * | <built-in method update of dict object at 0x7b06bedef6c0> | Application |
| python | python | * | <built-in method update of dict object at 0x7b06bed55280> | Application |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* |
| Yes | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* |
| Yes | cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |