Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xZzM2LTlqeGgtZmoyNc4AAza_

Incorrect signature verification in django-ses

The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the SESEventWebhookView class intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates.

Permalink: https://github.com/advisories/GHSA-qg36-9jxh-fj25
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xZzM2LTlqeGgtZmoyNc4AAza_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 12 months ago
Updated: 7 months ago

CVSS Score: 4.6
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

Identifiers: GHSA-qg36-9jxh-fj25, CVE-2023-33185
References:

Repository: https://github.com/django-ses/django-ses
Blast Radius: 13.4

Affected Packages

pypi:django-ses

Dependent packages: 6
Dependent repositories: 814
Downloads: 670,427 last month
Affected Version Ranges: < 3.5.0
Fixed in: 3.5.0
All affected versions: 0.3.0, 0.4.0, 0.4.1, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.8.13, 0.8.14, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 3.0.0, 3.0.1, 3.1.0, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.4.1
All unaffected versions: 3.5.0, 3.5.1, 3.5.2, 3.6.0, 4.0.0