#VU22617 Input validation error in Python


Published: 2019-11-10

Vulnerability identifier: #VU22617

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16056

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when processing multiple occurrences of the "@" character in an email address. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Python: 2.7.0 - 2.7.16, 3.5.0 - 3.5.7, 3.6.0 - 3.6.9, 3.7.0 - 3.7.4

External links
http://bugs.python.org/issue34155
http://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)
Multiple vulnerabilities in Oracle Communications Operations Monitor
Red Hat Enterprise Linux 7 update for python
Red Hat Enterprise Linux 8 update for the python27:2.7 module
Red Hat Enterprise Linux 8 update for python3
Red Hat Enterprise Linux 7 update for python
Red Hat Enterprise Linux 7 update for python3
Red Hat update for python27-python
OpenSUSE Linux update for python3
OpenSUSE Linux update for python3