Incorrect signature verification in django-ses
CVE-2023-33185

5.4MEDIUM

Key Information:

Vendor

django-ses

Status
django-ses
Vendor
CVE Published:
26 May 2023

What is CVE-2023-33185?

Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the SESEventWebhookView class intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates. This issue was patched in version 3.5.0.

Affected Version(s)

django-ses < 3.5.0

References

https://github.com/django-ses/django-ses/security/advisor...
x_refsource_CONFIRM
https://github.com/django-ses/django-ses/commit/b71b5f413...
x_refsource_MISC
https://github.com/django-ses/django-ses/blob/3d627067935...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.