CVE-2024-6923

Description

There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

How to fix CVE-2024-6923

To remediate CVE-2024-6923, upgrade the affected package to a fixed version below.

• Alpine/python3—upgrade to 3.10.15-r0 or later
• —upgrade to 3.8.20 or later
• —upgrade to 3.8.20 or later
• —upgrade to 3.8.20 or later
• —upgrade to 7.3.5+dfsg-2+deb11u5 or later
• —no fix listed
• —upgrade to 3.11.2-6+deb12u5 or later
• —upgrade to 3.13.0~rc2-1 or later
• —upgrade to 3.9.2-1+deb11u2 or later

Is CVE-2024-6923 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (9)

• from 0, < 3.10.15-r0
• from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.5
• from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.5
• from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.5
• from 0, < 7.3.5+dfsg-2+deb11u5
• from 0
• from 0, < 3.11.2-6+deb12u5
• from 0, < 3.13.0~rc2-1
• from 0, < 3.9.2-1+deb11u2

CVSS scores

References (18)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-6923
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-6923
• WEBgithub.com/python/cpython/commit/06f28dc236708f72871c64d4bc4b4ea144c50147
• WEBgithub.com/python/cpython/commit/097633981879b3c9de9a1dd120d3aa585ecc2384