Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xZzM2LTlqeGgtZmoyNc4AAza_
Incorrect signature verification in django-ses
The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the SESEventWebhookView class
intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xZzM2LTlqeGgtZmoyNc4AAza_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 12 months ago
Updated: 7 months ago
CVSS Score: 4.6
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Identifiers: GHSA-qg36-9jxh-fj25, CVE-2023-33185
References:
- https://github.com/django-ses/django-ses/security/advisories/GHSA-qg36-9jxh-fj25
- https://github.com/django-ses/django-ses/commit/b71b5f413293a13997b6e6314086cb9c22629795
- https://github.com/django-ses/django-ses/blob/3d627067935876487f9938310d5e1fbb249a7778/CVE/001-cert-url-signature-verification.md
- https://nvd.nist.gov/vuln/detail/CVE-2023-33185
- https://github.com/pypa/advisory-database/tree/main/vulns/django-ses/PYSEC-2023-82.yaml
- https://github.com/advisories/GHSA-qg36-9jxh-fj25
Blast Radius: 13.4
Affected Packages
pypi:django-ses
Dependent packages: 6Dependent repositories: 814
Downloads: 670,427 last month
Affected Version Ranges: < 3.5.0
Fixed in: 3.5.0
All affected versions: 0.3.0, 0.4.0, 0.4.1, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.8.13, 0.8.14, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 3.0.0, 3.0.1, 3.1.0, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.4.1
All unaffected versions: 3.5.0, 3.5.1, 3.5.2, 3.6.0, 4.0.0