Inbound SMTP Smuggling Vulnerability Affects aiosmtpd
CVE-2024-27305

5.3MEDIUM

Key Information:

Vendor: Aio-libs
Status: AiOSmtpd
Vendor: CVE Published:; 12 March 2024

What is CVE-2024-27305?

The aiosmtpd library, a Python-based implementation of the standard SMTP server, is subject to a vulnerability involving inbound SMTP smuggling. This flaw allows malicious actors to exploit discrepancies in SMTP protocol interpretations to send fraudulent emails, masquerading as legitimate emails with manipulated sender addresses. Such exploitation enables advanced phishing tactics, posing significant risks to users relying on aiosmtpd for email handling. The vulnerability is similarly present in other SMTP software, including Postfix, and necessitates correct server configurations to mitigate exploitation. This issue is resolved in aiosmtpd version 1.4.5, prompting users to upgrade to safeguard against potential attacks.

Affected Version(s)

aiosmtpd < 1.4.5

References

https://github.com/aio-libs/aiosmtpd/security/advisories/...

x_refsource_CONFIRM

https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921c...

x_refsource_MISC

https://www.postfix.org/smtp-smuggling.html

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Feb 22, 2024

Aio-libs

What is CVE-2024-27305?

Affected Version(s)

References

CVSS V3.1

Timeline