CVE-2019-16056
python: email.utils.parseaddr wrongly parses email addresses
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
Se descubrió un problema en Python versiones hasta 2.7.16, versiones 3.x hasta 3.5.7, versiones 3.6.x hasta 3.6.9 y versiones 3.7.x hasta 3.7.4. El módulo de correo electrónico analiza incorrectamente las direcciones de correo electrónico que contienen múltiples caracteres @. Una aplicación que usa el módulo de correo electrónico e implementa algún tipo de comprobación sobre los encabezados From/To de un mensaje podría ser engañada para aceptar una dirección de correo electrónico que debería ser denegada. Un ataque puede ser el mismo que en CVE-2019-11340; sin embargo, este CVE aplica a Python de manera más general.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-09-06 CVE Reserved
- 2019-09-06 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (36)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9 | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpuapr2020.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpujul2020.html | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | <= 2.7.16 Search vendor "Python" for product "Python" and version " <= 2.7.16" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.0.0 <= 3.0.1 Search vendor "Python" for product "Python" and version " >= 3.0.0 <= 3.0.1" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.1.0 <= 3.1.5 Search vendor "Python" for product "Python" and version " >= 3.1.0 <= 3.1.5" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.2.0 <= 3.2.6 Search vendor "Python" for product "Python" and version " >= 3.2.0 <= 3.2.6" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.3.0 <= 3.3.7 Search vendor "Python" for product "Python" and version " >= 3.3.0 <= 3.3.7" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.4.0 <= 3.4.10 Search vendor "Python" for product "Python" and version " >= 3.4.0 <= 3.4.10" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.5.0 <= 3.5.7 Search vendor "Python" for product "Python" and version " >= 3.5.0 <= 3.5.7" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.6.0 <= 3.6.9 Search vendor "Python" for product "Python" and version " >= 3.6.0 <= 3.6.9" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.7.0 <= 3.7.4 Search vendor "Python" for product "Python" and version " >= 3.7.0 <= 3.7.4" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 29 Search vendor "Fedoraproject" for product "Fedora" and version "29" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 31 Search vendor "Fedoraproject" for product "Fedora" and version "31" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | - |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | esm |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | esm |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Software Collections Search vendor "Redhat" for product "Software Collections" | 1.0 Search vendor "Redhat" for product "Software Collections" and version "1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Operations Monitor Search vendor "Oracle" for product "Communications Operations Monitor" | >= 4.1 <= 4.3 Search vendor "Oracle" for product "Communications Operations Monitor" and version " >= 4.1 <= 4.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Operations Monitor Search vendor "Oracle" for product "Communications Operations Monitor" | 3.4 Search vendor "Oracle" for product "Communications Operations Monitor" and version "3.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" | 8.57 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" | 8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Zfs Storage Appliance Kit Search vendor "Oracle" for product "Zfs Storage Appliance Kit" | 8.8 Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Solaris Search vendor "Oracle" for product "Solaris" | 11 Search vendor "Oracle" for product "Solaris" and version "11" | - |
Affected
| ||||||
Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.0 Search vendor "Opensuse" for product "Leap" and version "15.0" | - |
Affected
| ||||||
Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
|