CVE-2019-16056

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

References

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

https://access.redhat.com/errata/RHSA-2019:3725

https://access.redhat.com/errata/RHSA-2019:3948

https://bugs.python.org/issue34155

https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html

https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html

https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/

https://lists.fedoraproject.org/archives/list/[email protected]/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/

https://lists.fedoraproject.org/archives/list/[email protected]/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/

https://lists.fedoraproject.org/archives/list/[email protected]/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/

https://lists.fedoraproject.org/archives/list/[email protected]/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/

https://lists.fedoraproject.org/archives/list/[email protected]/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/

https://lists.fedoraproject.org/archives/list/[email protected]/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/

https://lists.fedoraproject.org/archives/list/[email protected]/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/

https://lists.fedoraproject.org/archives/list/[email protected]/message/QASRD4E2G65GGEHYKVHYCXB2XWAGTNL4/

https://lists.fedoraproject.org/archives/list/[email protected]/message/QP46PQSUKYPGWTADQ67NOV3BUN6JM34Z/

https://lists.fedoraproject.org/archives/list/[email protected]/message/SDQQ56P7ZZR64XV5DUVWNSNXKKEXUG2J/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/

https://security.netapp.com/advisory/ntap-20190926-0005/

https://usn.ubuntu.com/4151-1/

https://usn.ubuntu.com/4151-2/

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujul2020.html

Details

Source: MITRE

Published: 2019-09-06

Updated: 2020-08-24

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions up to 2.7.16 (inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.0.0 to 3.0.1 (inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.1.0 to 3.1.5 (inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.2.0 to 3.2.6 (inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.3.0 to 3.3.7 (inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.4.0 to 3.4.10 (inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.5.0 to 3.5.7 (inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.6.0 to 3.6.9 (inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.7.0 to 3.7.4 (inclusive)

Tenable Plugins

View all (72 total)

IDNameProductFamilySeverity
150521SUSE SLES11 Security Update : python (SUSE-SU-2021:14198-1)NessusSuSE Local Security Checks
high
146007CentOS 8 : python3 (CESA-2020:1764)NessusCentOS Local Security Checks
high
145889CentOS 8 : python27:2.7 (CESA-2020:1605)NessusCentOS Local Security Checks
high
143954NewStart CGSL CORE 5.05 / MAIN 5.05 : python Multiple Vulnerabilities (NS-SA-2020-0094)NessusNewStart CGSL Local Security Checks
high
143922NewStart CGSL CORE 5.05 / MAIN 5.05 : python3 Multiple Vulnerabilities (NS-SA-2020-0089)NessusNewStart CGSL Local Security Checks
high
143918NewStart CGSL CORE 5.04 / MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2020-0059)NessusNewStart CGSL Local Security Checks
high
143782SUSE SLES12 Security Update : python3 (SUSE-SU-2020:2699-1)NessusSuSE Local Security Checks
high
143646SUSE SLES12 Security Update : python36 (SUSE-SU-2020:3563-1)NessusSuSE Local Security Checks
high
139757Debian DLA-2337-1 : python2.7 security updateNessusDebian Local Security Checks
critical
138767NewStart CGSL MAIN 6.01 : python3 Multiple Vulnerabilities (NS-SA-2020-0030)NessusNewStart CGSL Local Security Checks
high
138529Debian DLA-2280-1 : python3.5 security updateNessusDebian Local Security Checks
critical
137412RHEL 7 : python (RHSA-2020:2520)NessusRed Hat Local Security Checks
high
136049RHEL 8 : python3 (RHSA-2020:1764)NessusRed Hat Local Security Checks
high
136044RHEL 8 : python27:2.7 (RHSA-2020:1605)NessusRed Hat Local Security Checks
high
135831Scientific Linux Security Update : python on SL7.x x86_64 (20200407)NessusScientific Linux Local Security Checks
high
135830Scientific Linux Security Update : python3 on SL7.x x86_64 (20200407)NessusScientific Linux Local Security Checks
high
135344CentOS 7 : python3 (CESA-2020:1132)NessusCentOS Local Security Checks
high
135343CentOS 7 : python (CESA-2020:1131)NessusCentOS Local Security Checks
high
135059RHEL 7 : python (RHSA-2020:1131)NessusRed Hat Local Security Checks
high
135056RHEL 7 : python3 (RHSA-2020:1132)NessusRed Hat Local Security Checks
high
134741EulerOS Virtualization 3.0.2.2 : python (EulerOS-SA-2020-1275)NessusHuawei Local Security Checks
high
134501EulerOS Virtualization for ARM 64 3.0.2.0 : python (EulerOS-SA-2020-1212)NessusHuawei Local Security Checks
high
133448SUSE SLES12 Security Update : python36 (SUSE-SU-2020:0302-1)NessusSuSE Local Security Checks
critical
133259SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133172openSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133036SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
132802EulerOS Virtualization for ARM 64 3.0.5.0 : python3 (EulerOS-SA-2020-1048)NessusHuawei Local Security Checks
high
132798EulerOS Virtualization for ARM 64 3.0.5.0 : python2 (EulerOS-SA-2020-1044)NessusHuawei Local Security Checks
high
132783Fedora 31 : python36 (2019-a268ba7b23)NessusFedora Local Security Checks
high
132781Fedora 30 : python36 (2019-7ec5bb5d22)NessusFedora Local Security Checks
high
132188EulerOS 2.0 SP3 : python (EulerOS-SA-2019-2653)NessusHuawei Local Security Checks
high
131596EulerOS 2.0 SP2 : python (EulerOS-SA-2019-2442)NessusHuawei Local Security Checks
high
131244Amazon Linux AMI : python34 (ALAS-2019-1324)NessusAmazon Linux Local Security Checks
critical
131237Amazon Linux 2 : python / python3 (ALAS-2019-1368)NessusAmazon Linux Local Security Checks
high
130943SUSE SLES12 Security Update : python (SUSE-SU-2019:2748-2)NessusSuSE Local Security Checks
high
130886openSUSE Security Update : python3 (openSUSE-2019-2453)NessusSuSE Local Security Checks
high
130824EulerOS 2.0 SP8 : python3 (EulerOS-SA-2019-2115)NessusHuawei Local Security Checks
high
130823EulerOS 2.0 SP8 : python2 (EulerOS-SA-2019-2114)NessusHuawei Local Security Checks
high
130797Fedora 29 : python35 (2019-d202cda4f8)NessusFedora Local Security Checks
critical
130793Fedora 30 : python35 (2019-b06ec6159b)NessusFedora Local Security Checks
critical
130790Fedora 29 : python2 / python2-docs (2019-758824a3ff)NessusFedora Local Security Checks
high
130789Fedora 30 : python2 / python2-docs (2019-74ba24605e)NessusFedora Local Security Checks
high
130784Fedora 31 : python35 (2019-57462fa10d)NessusFedora Local Security Checks
critical
130776Fedora 31 : python2 / python2-docs (2019-0d3fcae639)NessusFedora Local Security Checks
high
130687EulerOS 2.0 SP5 : python (EulerOS-SA-2019-2225)NessusHuawei Local Security Checks
high
130579openSUSE Security Update : python3 (openSUSE-2019-2438)NessusSuSE Local Security Checks
high
130490Fedora 30 : python3 (2019-aba3cca74a)NessusFedora Local Security Checks
high
130485Fedora 29 : python3 (2019-986622833f)NessusFedora Local Security Checks
high
130478Fedora 31 : python3 (2019-232f092db0)NessusFedora Local Security Checks
high
130404Amazon Linux AMI : python27 / python34,python35,python36 (ALAS-2019-1314)NessusAmazon Linux Local Security Checks
high
130388SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2019:2802-1)NessusSuSE Local Security Checks
high
130361SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:2798-1)NessusSuSE Local Security Checks
high
130339openSUSE Security Update : python (openSUSE-2019-2393)NessusSuSE Local Security Checks
high
130337openSUSE Security Update : python (openSUSE-2019-2389)NessusSuSE Local Security Checks
high
130193SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:2748-1)NessusSuSE Local Security Checks
high
130164SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:2743-1)NessusSuSE Local Security Checks
high
130126Photon OS 3.0: Python2 PHSA-2019-3.0-0031NessusPhotonOS Local Security Checks
high
129787Photon OS 1.0: Python2 PHSA-2019-1.0-0252NessusPhotonOS Local Security Checks
high
129774Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : python2.7, python3.5, python3.6, python3.7 vulnerabilities (USN-4151-1)NessusUbuntu Local Security Checks
high
129693Photon OS 2.0: Python2 PHSA-2019-2.0-0177NessusPhotonOS Local Security Checks
high
129685Photon OS 1.0: Python2 PHSA-2019-1.0-0255NessusPhotonOS Local Security Checks
high
129648Fedora 31 : python38 (2019-d11594bf0a)NessusFedora Local Security Checks
high
129618Fedora 31 : python34 (2019-50772cf122)NessusFedora Local Security Checks
high
129295Photon OS 2.0: Python3 PHSA-2019-2.0-0176NessusPhotonOS Local Security Checks
high
129294Photon OS 1.0: Python3 PHSA-2019-1.0-0251NessusPhotonOS Local Security Checks
high
129164Photon OS 3.0: Python3 PHSA-2019-3.0-0030NessusPhotonOS Local Security Checks
high
129029Fedora 29 : python34 (2019-5dc275c9f2)NessusFedora Local Security Checks
critical
129027Fedora 30 : python34 (2019-2b1f72899a)NessusFedora Local Security Checks
critical
128883Debian DLA-1925-1 : python2.7 security updateNessusDebian Local Security Checks
high
128882Debian DLA-1924-1 : python3.4 security updateNessusDebian Local Security Checks
high
128653Fedora 29 : python38 (2019-d58eb75449)NessusFedora Local Security Checks
high
128652Fedora 30 : python38 (2019-4954d8773c)NessusFedora Local Security Checks
high