GHSA-pr2m-px7j-xg65

Suggest an improvement
Source
https://github.com/advisories/GHSA-pr2m-px7j-xg65
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-pr2m-px7j-xg65/GHSA-pr2m-px7j-xg65.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-pr2m-px7j-xg65
Aliases
Related
Published
2024-03-13T15:33:14Z
Modified
2025-01-22T19:09:37.682401Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
aiosmtpd vulnerable to SMTP smuggling
Details

Summary

aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue also existed in other SMTP software like Postfix (https://www.postfix.org/smtp-smuggling.html).

Details

Detailed information on SMTP smuggling can be found in the full blog post (https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/) or on the Postfix homepage (https://www.postfix.org/smtp-smuggling.html). (and soon on the official website https://smtpsmuggling.com/)

Impact

With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances.

Database specific 
{
    "cwe_ids": [
        "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-13T15:33:14Z",
    "severity": "MODERATE",
    "nvd_published_at": "2024-03-12T21:15:58Z"
}
References

Affected packages

PyPI / aiosmtpd

Package

Name
aiosmtpd
View open source insights on deps.dev
Purl
pkg:pypi/aiosmtpd

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.5

Affected versions

1.*

1.0a1
1.0a2
1.0a3
1.0a4
1.0a5
1.0b1
1.0rc1
1.0
1.1
1.2
1.2.2
1.2.4
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.4.3rc1
1.4.3rc2
1.4.3
1.4.4
1.4.4.post1
1.4.4.post2