Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple

The e-mail module incorrectly parses e-mail addresses which contain a special character. This vulnerability allows attackers to send messages from e-ail addresses that would otherwise be rejected.

Dates:

  • Disclosure date: 2023-03-24 (Python issue gh-102988 reported)

Vulnerable Versions

  • Python 3.10 (need commit)
  • Python 3.7 (need commit)
  • Python 3.8 (need commit)
  • Python 3.9 (need commit)

Python issue

[CVE-2023-27043] Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple.

  • Python issue: gh-102988
  • Creation date: 2023-03-24
  • Reporter: tdwyer

CVE-2023-27043

The e-mail module of Python 0 - 2.7.18, 3.x - 3.11 incorrectly parses e-mail addresses which contain a special character. This vulnerability allows attackers to send messages from e-ail addresses that would otherwise be rejected.

Timeline

Timeline using the disclosure date 2023-03-24 as reference: