email.utils.parseaddr mistakenly parse an email¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
email.utils.parseaddr wrongly parse the From field of an email.
email.utils.parseaddr('John Doe jdoe@example.com <other@example.net>')
returns ('', 'John Doe jdoe@example.com')
, whereas it should return
('John Doe jdoe@example.com', 'other@example.net')
.
Dates:
- Disclosure date: 2018-07-19 (Python issue bpo-34155 reported)
Fixed In¶
- Python 2.7.17 (2019-10-19) fixed by commit 4cbcd2f (branch 2.7) (2019-09-14)
- Python 3.5.8 (2019-10-29) fixed by commit 063eba2 (branch 3.5) (2019-09-07)
- Python 3.6.10 (2019-12-18) fixed by commit 13a1913 (branch 3.6) (2019-08-09)
- Python 3.7.5 (2019-10-14) fixed by commit c48d606 (branch 3.7) (2019-08-09)
- Python 3.8.0 (2019-10-14) fixed by commit 2170774 (branch 3.8) (2019-08-09)
Python issue¶
[CVE-2019-16056] email.utils.parseaddr mistakenly parse an email.
- Python issue: bpo-34155
- Creation date: 2018-07-19
- Reporter: Cyril Nicodème
CVE-2019-16056¶
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
- CVE ID: CVE-2019-16056
- Published: 2019-09-06
- CVSS Score: 5.0
Timeline¶
Timeline using the disclosure date 2018-07-19 as reference:
- 2018-07-19: Python issue bpo-34155 reported by Cyril Nicodème
- 2019-08-09 (+386 days): commit 13a1913 (branch 3.6)
- 2019-08-09 (+386 days): commit 2170774 (branch 3.8)
- 2019-08-09 (+386 days): commit c48d606 (branch 3.7)
- 2019-09-06 (+414 days): CVE-2019-16056 published
- 2019-09-07 (+415 days): commit 063eba2 (branch 3.5)
- 2019-09-14 (+422 days): commit 4cbcd2f (branch 2.7)
- 2019-10-14: Python 3.8.0 released
- 2019-10-14 (+452 days): Python 3.7.5 released
- 2019-10-19 (+457 days): Python 2.7.17 released
- 2019-10-29 (+467 days): Python 3.5.8 released
- 2019-12-18 (+517 days): Python 3.6.10 released