#VU22617 Input validation error in Python - CVE-2019-16056


Vulnerability identifier: #VU22617

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-16056

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when processing multiple occurrences of the "@" character in an email address. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Python: 2.7.0 - 2.7.16, 3.5.0 - 3.5.7, 3.6.0 - 3.6.9, 3.7.0 - 3.7.4

External links
https://bugs.python.org/issue34155
https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for python3.10
Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)
Multiple vulnerabilities in Oracle Communications Operations Monitor
Red Hat Enterprise Linux 7 update for python
Red Hat Enterprise Linux 8 update for the python27:2.7 module
Red Hat Enterprise Linux 8 update for python3
Red Hat Enterprise Linux 7 update for python
Red Hat Enterprise Linux 7 update for python3
Fedora 31 update for python36
Fedora 30 update for python36