Recursion Error in Python Legacy Email Parsing Function
CVE-2023-36632

7.5HIGH

Key Information:

Vendor: Python
Status: Python
Vendor: CVE Published:; 25 June 2023

Summary

The email.utils.parseaddr function in the Python Standard Library, specifically in versions up to 3.11.4, can be exploited by attackers using crafted input data. This input, which should contain a name and an email address, can lead to a 'RecursionError' as it exceeds the maximum recursion depth. Although this function is categorized as a legacy API, it highlights the importance of input validation in applications to avoid excessive recursion, which is not a defined vulnerability according to the vendor. The recommended practice is to utilize the newer email.parser.BytesParser or email.parser.Parser classes for safer email data handling.

References

https://docs.python.org/3/library/email.utils.html

https://docs.python.org/3/library/email.html

https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/ma...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 25, 2023
Vulnerability Reserved
Jun 25, 2023