CVE-2019-16056

python: email.utils.parseaddr wrongly parses email addresses

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Se descubrió un problema en Python versiones hasta 2.7.16, versiones 3.x hasta 3.5.7, versiones 3.6.x hasta 3.6.9 y versiones 3.7.x hasta 3.7.4. El módulo de correo electrónico analiza incorrectamente las direcciones de correo electrónico que contienen múltiples caracteres @. Una aplicación que usa el módulo de correo electrónico e implementa algún tipo de comprobación sobre los encabezados From/To de un mensaje podría ser engañada para aceptar una dirección de correo electrónico que debería ser denegada. Un ataque puede ser el mismo que en CVE-2019-11340; sin embargo, este CVE aplica a Python de manera más general.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. This package provides the "python3" executable: the reference interpreter for the Python language, version 3. The majority of its standard library is provided in the python3-libs package, which should be installed automatically along with python3. The remaining parts of the Python standard library are broken out into the python3-tkinter and python3-test packages. Issues addressed include an incorrect parsing vulnerability.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-09-06 CVE Reserved
2019-09-06 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (36)

URL	Tag	Source
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html	Mailing List
https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html	Mailing List
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html	Mailing List
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html	Mailing List
https://security.netapp.com/advisory/ntap-20190926-0005	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9	2023-11-07
https://www.oracle.com/security-alerts/cpuapr2020.html	2023-11-07
https://www.oracle.com/security-alerts/cpujul2020.html	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3725	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3948	2023-11-07
https://bugs.python.org/issue34155	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QASRD4E2G65GGEHYKVHYCXB2XWAGTNL4	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QP46PQSUKYPGWTADQ67NOV3BUN6JM34Z	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SDQQ56P7ZZR64XV5DUVWNSNXKKEXUG2J	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76	2023-11-07
https://usn.ubuntu.com/4151-1	2023-11-07
https://usn.ubuntu.com/4151-2	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-16056	2020-06-12
https://bugzilla.redhat.com/show_bug.cgi?id=1749839	2020-06-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				<= 2.7.16 Search vendor "Python" for product "Python" and version " <= 2.7.16"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.0.0 <= 3.0.1 Search vendor "Python" for product "Python" and version " >= 3.0.0 <= 3.0.1"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.1.0 <= 3.1.5 Search vendor "Python" for product "Python" and version " >= 3.1.0 <= 3.1.5"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.2.0 <= 3.2.6 Search vendor "Python" for product "Python" and version " >= 3.2.0 <= 3.2.6"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.3.0 <= 3.3.7 Search vendor "Python" for product "Python" and version " >= 3.3.0 <= 3.3.7"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.4.0 <= 3.4.10 Search vendor "Python" for product "Python" and version " >= 3.4.0 <= 3.4.10"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.5.0 <= 3.5.7 Search vendor "Python" for product "Python" and version " >= 3.5.0 <= 3.5.7"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.6.0 <= 3.6.9 Search vendor "Python" for product "Python" and version " >= 3.6.0 <= 3.6.9"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.7.0 <= 3.7.4 Search vendor "Python" for product "Python" and version " >= 3.7.0 <= 3.7.4"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				29 Search vendor "Fedoraproject" for product "Fedora" and version "29"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04"		-		Affected
Redhat Search vendor "Redhat"		Software Collections Search vendor "Redhat" for product "Software Collections"				1.0 Search vendor "Redhat" for product "Software Collections" and version "1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Operations Monitor Search vendor "Oracle" for product "Communications Operations Monitor"				>= 4.1 <= 4.3 Search vendor "Oracle" for product "Communications Operations Monitor" and version " >= 4.1 <= 4.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Operations Monitor Search vendor "Oracle" for product "Communications Operations Monitor"				3.4 Search vendor "Oracle" for product "Communications Operations Monitor" and version "3.4"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.57 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"		-		Affected
Oracle Search vendor "Oracle"		Zfs Storage Appliance Kit Search vendor "Oracle" for product "Zfs Storage Appliance Kit"				8.8 Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"		-		Affected
Oracle Search vendor "Oracle"		Solaris Search vendor "Oracle" for product "Solaris"				11 Search vendor "Oracle" for product "Solaris" and version "11"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.0 Search vendor "Opensuse" for product "Leap" and version "15.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected