OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"vendor_product": "fedoraproject:fedora",
"extracted_events": [
{
"introduced": "33"
},
{
"last_affected": "33"
},
{
"introduced": "34"
},
{
"last_affected": "34"
}
]
}
]
}{
"source": [
"CPE_RANGE",
"CPE_STRING"
],
"cpe": [
"cpe:2.3:a:trusteddomain:opendmarc:*:*:*:*:*:*:*:*",
"cpe:2.3:a:trusteddomain:opendmarc:1.4.0:-:*:*:*:*:*:*",
"cpe:2.3:a:trusteddomain:opendmarc:1.4.0:beta0:*:*:*:*:*:*",
"cpe:2.3:a:trusteddomain:opendmarc:1.4.0:beta1:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "1.0.0"
},
{
"last_affected": "1.3.2"
},
{
"introduced": "1.4.0-NA"
},
{
"last_affected": "1.4.0-NA"
},
{
"introduced": "1.4.0-beta0"
},
{
"last_affected": "1.4.0-beta0"
},
{
"introduced": "1.4.0-beta1"
},
{
"last_affected": "1.4.0-beta1"
}
]
}