system/python3: CVE-2019-16056: email.message_from_string does not parse multiple @ in From: correctly
Bugzilla ID | 197 |
Alias(es) | CVE-2019-16056 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2019-09-12 15:50:12 -0500 |
Modified | 2019-09-30 15:00:26 -0500 |
Status | RESOLVED FIXED |
Version | 1.0-BETA3 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
URL | https://nvd.nist.gov/vuln/detail/CVE-2019-16056 |
Description
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7,
3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly
parses email addresses that contain multiple @ characters. An
application that uses the email module and implements some kind of
checks on the From/To headers of a message could be tricked into
accepting an email address that should be denied. An attack may be the
same as in CVE-2019-11340; however, this CVE applies to Python more
generally.