CVE-2023-27043
Published: 19 April 2023
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.
Notes
| Author | Note |
|---|---|
| mdeslaur | As of 2024-07-18, the new pull requests are: https://github.com/python/cpython/pull/108250 https://github.com/python/cpython/pull/111116 |
| allenpthuang | as of 2024-04-11, one of the pull requests has been merged (pull/111116) while the bug (gh-102988) remains open. |
| mdeslaur | as of 2024-07-18, the fixes haven't been backported to the stable releases. See gh-102988 bug. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python2.7 Launchpad, Ubuntu, Debian |
bionic |
Deferred
(2024-07-18)
|
| focal |
Deferred
(2024-07-18)
|
|
| jammy |
Deferred
(2024-07-18)
|
|
| kinetic |
Ignored
(end of life, was deferred [2024-07-18])
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Deferred
(2024-07-18)
|
|
| upstream |
Needs triage
|
|
| xenial |
Deferred
(2024-07-18)
|
|
|
python3.10 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Deferred
(2024-07-18)
|
|
| kinetic |
Ignored
(end of life, was deferred [2024-07-18])
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.11 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Deferred
(2024-07-18)
|
|
| kinetic |
Ignored
(end of life, was deferred [2024-07-18])
|
|
| lunar |
Ignored
(end of life, was deferred [2024-07-18])
|
|
| mantic |
Ignored
(end of life, was deferred [2024-07-18])
|
|
| noble |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Deferred
(2024-07-18)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Deferred
(2024-07-18)
|
|
| upstream |
Needs triage
|
|
| xenial |
Deferred
(2024-07-18)
|
|
|
python3.6 Launchpad, Ubuntu, Debian |
bionic |
Deferred
(2024-07-18)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.7 Launchpad, Ubuntu, Debian |
bionic |
Deferred
(2024-07-18)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.8 Launchpad, Ubuntu, Debian |
bionic |
Deferred
(2024-07-18)
|
| focal |
Deferred
(2024-07-18)
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.9 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Deferred
(2024-07-18)
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |