Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.
No PoCs from references.
- https://github.com/GitHubForSnap/matrix-commander-gael
- https://github.com/Intevation/intelmq-certbund-contact
- https://github.com/NathanielAPawluk/sec-buddy
- https://github.com/OzNetNerd/CheckovOutputProcessor
- https://github.com/adegoodyer/kubernetes-admin-toolkit
- https://github.com/fkie-cad/nvd-json-data-feeds