CVE-2019-16056
high-risk
Published 2019-09-06
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
Do I need to act?
~
1.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
References (68)
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3725
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3948
Issue Tracking
https://bugs.python.org/issue34155
and 48 more references
50
/ 100
high-risk
Severity
26/34 · High
Exploitability
4/34 · Minimal
Exposure
20/34 · Moderate