CVE-2023-27043

Description

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

How to fix CVE-2023-27043

To remediate CVE-2023-27043, upgrade the affected package to a fixed version below.

• —upgrade to 3.10.15-r0 or later
• —upgrade to 3.8.20 or later
• —upgrade to 3.8.20 or later
• —upgrade to 3.8.20 or later
• —upgrade to 7.3.5+dfsg-2+deb11u4 or later
• —no fix listed
• —upgrade to 3.11.2-6+deb12u5 or later
• —upgrade to 3.9.2-1+deb11u2 or later

Is CVE-2023-27043 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0, < 3.10.15-r0
• from 0, < 3.8.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.6, >= 3.9.0, < 3.9.20
• from 0, < 3.8.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.6, >= 3.9.0, < 3.9.20
• from 0, < 3.8.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.6, >= 3.9.0, < 3.9.20
• from 0, < 7.3.5+dfsg-2+deb11u4
• from 0
• from 0, < 3.11.2-6+deb12u5
• from 0, < 3.9.2-1+deb11u2

CVSS scores

References (49)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2023-27043
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-27043
• WEBpython.org
• WEBcert-portal.siemens.com/productcert/html/ssa-202008.html
• WEB