CVE-2024-27305

aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Configurations

No configuration.

History

21 Nov 2024, 09:04

Type Values Removed Values Added
References () https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb - () https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb -
References () https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65 - () https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65 -
References () https://www.postfix.org/smtp-smuggling.html - () https://www.postfix.org/smtp-smuggling.html -

13 Mar 2024, 12:33

Type Values Removed Values Added
Summary
  • (es) aiosmtpd es una reimplementación de Python stdlib smtpd.py basada en asyncio. aiosmtpd es vulnerable al contrabando SMTP entrante. El contrabando SMTP es una vulnerabilidad novedosa basada en diferencias de interpretación no tan novedosas del protocolo SMTP. Al explotar el contrabando SMTP, un atacante puede enviar correos electrónicos de contrabando/falsificación con direcciones de remitente falsas, lo que permite ataques de phishing avanzados. Este problema también existe en otro software SMTP como Postfix. Con la constelación de servidores SMTP adecuada, un atacante puede enviar correos electrónicos falsificados a instancias entrantes/receptoras de aiosmtpd. Este problema se solucionó en la versión 1.4.5. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

12 Mar 2024, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-03-12 21:15

Updated : 2024-11-21 09:04


NVD link : CVE-2024-27305

Mitre link : CVE-2024-27305

CVE.ORG link : CVE-2024-27305


JSON object : View

Products Affected

No product.

CWE
CWE-345

Insufficient Verification of Data Authenticity