GHSA-pr2m-px7j-xg65

Suggest an improvement
Source
https://github.com/advisories/GHSA-pr2m-px7j-xg65
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-pr2m-px7j-xg65/GHSA-pr2m-px7j-xg65.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pr2m-px7j-xg65
Aliases
Published
2024-03-13T15:33:14Z
Modified
2024-03-13T16:11:39.703245Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
aiosmtpd vulnerable to SMTP smuggling
Details

Summary

aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue also existed in other SMTP software like Postfix (https://www.postfix.org/smtp-smuggling.html).

Details

Detailed information on SMTP smuggling can be found in the full blog post (https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/) or on the Postfix homepage (https://www.postfix.org/smtp-smuggling.html). (and soon on the official website https://smtpsmuggling.com/)

Impact

With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances.

References

Affected packages

PyPI / aiosmtpd

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.5

Affected versions

1.*

1.0a1
1.0a2
1.0a3
1.0a4
1.0a5
1.0b1
1.0rc1
1.0
1.1
1.2
1.2.2
1.2.4
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.4.3rc1
1.4.3rc2
1.4.3
1.4.4
1.4.4.post1
1.4.4.post2