.. _email-parseaddr-realname:

Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple
============================================================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2023-27043>`_.

The e-mail module incorrectly parses e-mail addresses which contain a
special character. This vulnerability allows attackers to send messages
from e-ail addresses that would otherwise be rejected.

Dates:

* Disclosure date: **2023-03-24** (Python issue gh-102988 reported)

Vulnerable Versions
-------------------

* Python **3.10** (need commit)
* Python **3.7** (need commit)
* Python **3.8** (need commit)
* Python **3.9** (need commit)

Python issue
------------

[CVE-2023-27043] Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple.

* Python issue: `gh-102988 <https://github.com/python/cpython/issues/102988>`_
* Creation date: 2023-03-24
* Reporter: tdwyer

CVE-2023-27043
--------------

The e-mail module of Python 0 - 2.7.18, 3.x - 3.11 incorrectly parses e-mail addresses which contain a special character. This vulnerability allows attackers to send messages from e-ail addresses that would otherwise be rejected.

* CVE ID: `CVE-2023-27043 <https://nvd.nist.gov/vuln/detail/CVE-2023-27043/>`_
* Published: 2023-04-19

Timeline
--------

Timeline using the disclosure date **2023-03-24** as reference:

* 2023-03-24: `Python issue gh-102988 <https://github.com/python/cpython/issues/102988>`_ reported by tdwyer
* 2023-04-19 (**+26 days**): CVE-2023-27043 published