CVE-2024-6923
Email header injection due to unquoted newlines
Severity Score
5.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
There is a MEDIUM severity vulnerability affecting CPython.
The
email module didn’t properly quote newlines for email headers when
serializing an email message allowing for header injection when an email
is serialized.
A vulnerability was found in the email module that uses Python language. The email module doesn't properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the email, impacting data confidentiality and integrity.
*Credits:
Petr Viktorin, Seth Larson, John Whitlock, Bas Bloemsaat
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-07-19 CVE Reserved
- 2024-08-01 CVE Published
- 2024-09-05 EPSS Updated
- 2024-09-26 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| https://github.com/python/cpython/issues/121650 | Issue Tracking |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Python Software Foundation Search vendor "Python Software Foundation" | CPython Search vendor "Python Software Foundation" for product "CPython" | < 3.8.20 Search vendor "Python Software Foundation" for product "CPython" and version " < 3.8.20" | en |
Affected
| ||||||
| Python Software Foundation Search vendor "Python Software Foundation" | CPython Search vendor "Python Software Foundation" for product "CPython" | >= 3.9.0 < 3.9.20 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.9.0 < 3.9.20" | en |
Affected
| ||||||
| Python Software Foundation Search vendor "Python Software Foundation" | CPython Search vendor "Python Software Foundation" for product "CPython" | >= 3.10.0 < 3.10.15 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.10.0 < 3.10.15" | en |
Affected
| ||||||
| Python Software Foundation Search vendor "Python Software Foundation" | CPython Search vendor "Python Software Foundation" for product "CPython" | >= 3.11.0 < 3.11.10 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.11.0 < 3.11.10" | en |
Affected
| ||||||
| Python Software Foundation Search vendor "Python Software Foundation" | CPython Search vendor "Python Software Foundation" for product "CPython" | >= 3.12.0 < 3.12.5 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.12.0 < 3.12.5" | en |
Affected
| ||||||