email.utils.parseaddr mistakenly parse an email

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

email.utils.parseaddr wrongly parse the From field of an email.

email.utils.parseaddr('John Doe jdoe@example.com <other@example.net>') returns ('', 'John Doe jdoe@example.com'), whereas it should return ('John Doe jdoe@example.com', 'other@example.net').

Dates:

  • Disclosure date: 2018-07-19 (Python issue bpo-34155 reported)

Fixed In

Python issue

[CVE-2019-16056] email.utils.parseaddr mistakenly parse an email.

  • Python issue: bpo-34155
  • Creation date: 2018-07-19
  • Reporter: Cyril Nicodème

CVE-2019-16056

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Timeline

Timeline using the disclosure date 2018-07-19 as reference: