CVE-2023-27043

Published: 19 April 2023

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Notes

as of 2024-04-15, bug is still being discussed and pull request
has not been accepted
As of 2024-04-15, the new pull requests are:
https://github.com/python/cpython/pull/108250
https://github.com/python/cpython/pull/111116

as of 2024-04-11, one of the pull requests
has been merged (pull/111116) while the bug
(gh-102988) remains open.

Status

Severity score breakdown

References

• https://github.com/python/cpython/pull/102990
• https://github.com/python/cpython/pull/105127
• https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html
• https://www.cve.org/CVERecord?id=CVE-2023-27043
• NVD
• Launchpad
• Debian

Bugs

• https://github.com/python/cpython/issues/102988
• https://github.com/python/cpython/issues/106669 (regression)
• https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html