#VU82980 Input validation error in Python


Published: 2023-11-10

Vulnerability identifier: #VU82980

Vulnerability risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2023-27043

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to bypass filtration.

The vulnerability exists due to insufficient validation of user-supplied input when parsing email address with a special character. A remote attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Python: 3.11.0 - 3.11.3

External links
http://github.com/python/cpython/issues/102988
http://python-security.readthedocs.io/vuln/email-parseaddr-realname.html
http://security.netapp.com/advisory/ntap-20230601-0003/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat Migration Toolkit for Containers (MTC) 1.7
SUSE update for python311
Red Hat Enterprise Linux 9 update for python3.11
Multiple vulnerabilities in Red Hat Migration Toolkit for Containers (MTC) 1.8
Multiple vulnerabilities in Migration Toolkit for Runtimes 1.2
Multiple vulnerabilities in Red Hat Service Interconnect 1.5
Multiple vulnerabilities in OpenShift API for Data Protection (OADP) 1.3
Multiple vulnerabilities in IBM Sterling Order Management
Multiple vulnerabilities in Juniper Networks Junos cRPD
Multiple vulnerabilities in Juniper Cloud Native Router