Homepage
About Snyk

Acceptance of Extraneous Untrusted Data With Trusted Data Affecting aiosmtpd package, versions [,1.4.6)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-AIOSMTPD-6913431
  • published 19 May 2024
  • disclosed 18 May 2024
  • credit Arusekk
Report a new vulnerability Found a mistake?

Introduced: 18 May 2024

CVE-2024-34083 Open this link in a new tab
CWE-349 Open this link in a new tab

How to fix?

Upgrade aiosmtpd to version 1.4.6 or higher.

Overview

aiosmtpd is an aiosmtpd - asyncio based SMTP server

Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data via the STARTTLS process. An attacker can inject unencrypted commands by performing a man-in-the-middle attack.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.4 medium
  • Attack Vector (AV)
    Adjacent
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None