// For flags

CVE-2019-16056

python: email.utils.parseaddr wrongly parses email addresses

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Se descubrió un problema en Python versiones hasta 2.7.16, versiones 3.x hasta 3.5.7, versiones 3.6.x hasta 3.6.9 y versiones 3.7.x hasta 3.7.4. El módulo de correo electrónico analiza incorrectamente las direcciones de correo electrónico que contienen múltiples caracteres @. Una aplicación que usa el módulo de correo electrónico e implementa algún tipo de comprobación sobre los encabezados From/To de un mensaje podría ser engañada para aceptar una dirección de correo electrónico que debería ser denegada. Un ataque puede ser el mismo que en CVE-2019-11340; sin embargo, este CVE aplica a Python de manera más general.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-09-06 CVE Reserved
  • 2019-09-06 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-08-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
References (36)
URL Date SRC
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3725 2023-11-07
https://access.redhat.com/errata/RHSA-2019:3948 2023-11-07
https://bugs.python.org/issue34155 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QASRD4E2G65GGEHYKVHYCXB2XWAGTNL4 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QP46PQSUKYPGWTADQ67NOV3BUN6JM34Z 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SDQQ56P7ZZR64XV5DUVWNSNXKKEXUG2J 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76 2023-11-07
https://usn.ubuntu.com/4151-1 2023-11-07
https://usn.ubuntu.com/4151-2 2023-11-07
https://access.redhat.com/security/cve/CVE-2019-16056 2020-06-12
https://bugzilla.redhat.com/show_bug.cgi?id=1749839 2020-06-12
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
<= 2.7.16
Search vendor "Python" for product "Python" and version " <= 2.7.16"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.0.0 <= 3.0.1
Search vendor "Python" for product "Python" and version " >= 3.0.0 <= 3.0.1"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.1.0 <= 3.1.5
Search vendor "Python" for product "Python" and version " >= 3.1.0 <= 3.1.5"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.2.0 <= 3.2.6
Search vendor "Python" for product "Python" and version " >= 3.2.0 <= 3.2.6"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.3.0 <= 3.3.7
Search vendor "Python" for product "Python" and version " >= 3.3.0 <= 3.3.7"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.4.0 <= 3.4.10
Search vendor "Python" for product "Python" and version " >= 3.4.0 <= 3.4.10"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.5.0 <= 3.5.7
Search vendor "Python" for product "Python" and version " >= 3.5.0 <= 3.5.7"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.6.0 <= 3.6.9
Search vendor "Python" for product "Python" and version " >= 3.6.0 <= 3.6.9"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
>= 3.7.0 <= 3.7.4
Search vendor "Python" for product "Python" and version " >= 3.7.0 <= 3.7.4"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
29
Search vendor "Fedoraproject" for product "Fedora" and version "29"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
30
Search vendor "Fedoraproject" for product "Fedora" and version "30"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
31
Search vendor "Fedoraproject" for product "Fedora" and version "31"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
12.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
esm
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
esm
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
19.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04"
-
Affected
Redhat
Search vendor "Redhat"
Software Collections
Search vendor "Redhat" for product "Software Collections"
1.0
Search vendor "Redhat" for product "Software Collections" and version "1.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Operations Monitor
Search vendor "Oracle" for product "Communications Operations Monitor"
>= 4.1 <= 4.3
Search vendor "Oracle" for product "Communications Operations Monitor" and version " >= 4.1 <= 4.3"
-
Affected
Oracle
Search vendor "Oracle"
Communications Operations Monitor
Search vendor "Oracle" for product "Communications Operations Monitor"
3.4
Search vendor "Oracle" for product "Communications Operations Monitor" and version "3.4"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.57
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.58
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"
-
Affected
Oracle
Search vendor "Oracle"
Zfs Storage Appliance Kit
Search vendor "Oracle" for product "Zfs Storage Appliance Kit"
8.8
Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"
-
Affected
Oracle
Search vendor "Oracle"
Solaris
Search vendor "Oracle" for product "Solaris"
11
Search vendor "Oracle" for product "Solaris" and version "11"
-
Affected
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
15.0
Search vendor "Opensuse" for product "Leap" and version "15.0"
-
Affected
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
15.1
Search vendor "Opensuse" for product "Leap" and version "15.1"
-
Affected