CVE-2023-27043

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type: GIT
Repo: https://github.com/python/cpython
Events: Introduced

deaf509e8fc6e0363bd6f26d52ad42f976ec42f2

Fixed

0c47759eee3e170e04a5dae82f12f6b375ae78f7

Introduced

6046c5e0298c25515ea58abc8ab87f7413e3f743

Fixed

39b2f82717a69dde7212bc39b673b0f55c99e6a3

Introduced

9cf6752276e6fcfd0c23fdb064ad27f448aaaf75

Fixed

8c3f7946ec848ec16cf28418c0f984ecaa029541

Introduced

0fb18b02c8ad56299d6a2910be0bab8ad601ef24

Fixed

a4a2d2b0d85273f746c3834ce2753e19c898949d

Introduced

b494f5935c92951e75597bfe1c8b1f3112fec270

Fixed

ffee63f34445412322a7afc2535731be221cabba

Affected versions

v3.*

v3.10.0

v3.10.1

v3.10.10

v3.10.11

v3.10.12

v3.10.13

v3.10.14

v3.10.2

v3.10.3

v3.10.4

v3.10.5

v3.10.6

v3.10.7

v3.10.8

v3.10.9

v3.11.0

v3.11.1

v3.11.2

v3.11.3

v3.11.4

v3.11.5

v3.11.6

v3.11.7

v3.11.8

v3.11.9

v3.12.0

v3.12.1

v3.12.2

v3.12.3

v3.12.4

v3.12.5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-27043.json"