Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13Z2p2LTlqM3EtamhnOM4AA8Vk
aiosmtpd STARTTLS unencrypted commands injection
Summary
Servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a MitM attack.
References
Permalink: https://github.com/advisories/GHSA-wgjv-9j3q-jhg8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13Z2p2LTlqM3EtamhnOM4AA8Vk
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-wgjv-9j3q-jhg8, CVE-2024-34083
References:
- https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
- https://nvd.nist.gov/vuln/detail/CVE-2024-34083
- https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
- https://nostarttls.secvuln.info
- https://github.com/advisories/GHSA-wgjv-9j3q-jhg8
Blast Radius: 13.5
Affected Packages
pypi:aiosmtpd
Dependent packages: 24Dependent repositories: 310
Downloads: 327,388 last month
Affected Version Ranges: < 1.4.6
Fixed in: 1.4.6
All affected versions: 1.2.2, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5
All unaffected versions: 1.4.6