Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-27043

Published: 19 April 2023

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Notes

AuthorNote
mdeslaur
as of 2024-02-02, bug is still being discussed and pull request
has not been accepted
As of 2024-02-02, the new pull requests are:
https://github.com/python/cpython/pull/108250
https://github.com/python/cpython/pull/111116

Priority

Medium

Cvss 3 Severity Score

5.3

Score breakdown

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
bionic Deferred
(2024-02-02)
lunar Does not exist

upstream Needs triage

mantic Does not exist

focal Deferred
(2024-02-02)
jammy Deferred
(2024-02-02)
kinetic Ignored
(end of life, was deferred [2024-02-02])
trusty Deferred
(2024-02-02)
xenial Deferred
(2024-02-02)
python3.10
Launchpad, Ubuntu, Debian
kinetic Ignored
(end of life, was deferred [2024-02-02])
lunar Does not exist

bionic Does not exist

focal Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

mantic Does not exist

jammy Deferred
(2024-02-02)
python3.11
Launchpad, Ubuntu, Debian
jammy Deferred
(2024-02-02)
trusty Does not exist

upstream Needs triage

xenial Does not exist

bionic Does not exist

focal Does not exist

kinetic Ignored
(end of life, was deferred [2024-02-02])
lunar Ignored
(end of life, was deferred [2024-02-02])
mantic Deferred
(2024-02-02)
python3.8
Launchpad, Ubuntu, Debian
bionic Deferred
(2024-02-02)
focal Deferred
(2024-02-02)
jammy Does not exist

kinetic Does not exist

lunar Does not exist

upstream Needs triage

trusty Does not exist

xenial Does not exist

mantic Does not exist

python3.4
Launchpad, Ubuntu, Debian
lunar Does not exist

bionic Does not exist

focal Does not exist

jammy Does not exist

kinetic Does not exist

upstream Needs triage

xenial Does not exist

mantic Does not exist

trusty Deferred
(2024-02-02)
python3.5
Launchpad, Ubuntu, Debian
lunar Does not exist

bionic Does not exist

focal Does not exist

jammy Does not exist

kinetic Does not exist

upstream Needs triage

mantic Does not exist

trusty Deferred
(2024-02-02)
xenial Deferred
(2024-02-02)
python3.6
Launchpad, Ubuntu, Debian
lunar Does not exist

focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

mantic Does not exist

bionic Deferred
(2024-02-02)
python3.7
Launchpad, Ubuntu, Debian
lunar Does not exist

focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

mantic Does not exist

bionic Deferred
(2024-02-02)
python3.9
Launchpad, Ubuntu, Debian
bionic Does not exist

jammy Does not exist

kinetic Does not exist

lunar Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

mantic Does not exist

focal Deferred
(2024-02-02)

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N