低危 email.utils.parseaddr错误地解析电子邮件地址

CVE编号

CVE-2019-16056

利用情况

暂无

补丁情况

官方补丁

披露时间

2019-09-07
漏洞描述
在2.7.16、3.x至3.5.7、3.6.x至3.6.9和3.7.x至3.7.4的Python中发现了一个问题。电子邮件模块错误地解析了包含多个@字符的电子邮件地址。使用电子邮件模块并在邮件的“发件人/收件人”标头上执行某种检查的应用程序可能会被欺骗为接受应该拒绝的电子邮件地址。攻击可能与CVE-2019-11340中的攻击相同;但是,此CVE更普遍地适用于Python。
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
https://access.redhat.com/errata/RHSA-2019:3725
https://access.redhat.com/errata/RHSA-2019:3948
https://bugs.python.org/issue34155
https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a70533...
https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html
https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://security.netapp.com/advisory/ntap-20190926-0005/
https://usn.ubuntu.com/4151-1/
https://usn.ubuntu.com/4151-2/
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 python python * Up to
(including)
2.7.16
运行在以下环境
应用 python python * From
(including)
3.0.0
Up to
(including)
3.0.1
运行在以下环境
应用 python python * From
(including)
3.1.0
Up to
(including)
3.1.5
运行在以下环境
应用 python python * From
(including)
3.2.0
Up to
(including)
3.2.6
运行在以下环境
应用 python python * From
(including)
3.3.0
Up to
(including)
3.3.7
运行在以下环境
应用 python python * From
(including)
3.4.0
Up to
(including)
3.4.10
运行在以下环境
应用 python python * From
(including)
3.5.0
Up to
(including)
3.5.7
运行在以下环境
应用 python python * From
(including)
3.6.0
Up to
(including)
3.6.9
运行在以下环境
应用 python python * From
(including)
3.7.0
Up to
(including)
3.7.4
运行在以下环境
系统 redhat_7 python * Up to
(excluding)
0:2.7.5-88.el7
运行在以下环境
系统 redhat_7 python3 * Up to
(excluding)
0:3.6.8-13.el7
运行在以下环境
系统 suse_12 libpython2_7-1_0 * Up to
(excluding)
2.7.13-28.36
运行在以下环境
系统 ubuntu_14.04_lts python2.7 * Up to
(excluding)
2.7.6-8ubuntu0.6+esm3
运行在以下环境
系统 ubuntu_16.04.7_lts python2.7 * Up to
(excluding)
2.7.12-1ubuntu0~16.04.9
运行在以下环境
系统 ubuntu_16.04_lts python2.7 * Up to
(excluding)
2.7.12-1ubuntu0~16.04.9
运行在以下环境
系统 ubuntu_18.04.5_lts python2.7 * Up to
(excluding)
2.7.15-4ubuntu4~18.04.2
运行在以下环境
系统 ubuntu_18.04_lts python2.7 * Up to
(excluding)
2.7.15-4ubuntu4~18.04.2
阿里云评分
3.1
  • 攻击路径
    远程
  • 攻击复杂度
    复杂
  • 权限要求
    无需权限
  • 影响范围
    有限影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    100
CWE-ID 漏洞类型
NVD-CWE-noinfo
阿里云安全产品覆盖情况