PYSEC-2024-221

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/aiosmtpd/PYSEC-2024-221.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2024-221
Aliases
Related
Published
2024-03-12T21:15:58Z
Modified
2025-01-22T16:56:54.151348Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

PyPI / aiosmtpd

Package

Name
aiosmtpd
View open source insights on deps.dev
Purl
pkg:pypi/aiosmtpd

Affected ranges

Type
GIT
Repo
https://github.com/aio-libs/aiosmtpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
24b6c79c8921cf1800e27ca144f4f37023982bbb
Fixed
24b6c79c8921cf1800e27ca144f4f37023982bbb
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.5

Affected versions

1.*

1.0a1
1.0a2
1.0a3
1.0a4
1.0a5
1.0b1
1.0rc1
1.0
1.1
1.2
1.2.2
1.2.4
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.4.3rc1
1.4.3rc2
1.4.3
1.4.4
1.4.4.post1
1.4.4.post2