CVE-2023-27582

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-27582

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-27582.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-27582

Aliases

Published

2023-03-13T21:40:23.225Z

Modified

2026-04-10T04:56:43.347326Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Full authentication bypass if SASL authorization username is specified

Details

maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287",
        "CWE-305"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/27xxx/CVE-2023-27582.json"
}

References

Affected packages

Git / github.com/foxcpp/maddy

Affected ranges

Type

GIT

Repo

https://github.com/foxcpp/maddy

Events

Introduced

b54c705e2d3f415daa853a2e146322f4f29a8dca

Fixed

ee1e340c77ed04f1f76aed826bc6a53c07fddc75

Fixed

55a91a37b71210f34f98f4d327c30308fe24399a

Fixed

9f58cb64b39cdc01928ec463bdb198c4c2313a9c

Database specific

{
    "versions": [
        {
            "introduced": "0.2.0"
        },
        {
            "fixed": "0.6.3"
        }
    ]
}

Affected versions

v0.*

v0.2.0

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.6.0

v0.6.1

v0.6.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-27582.json"