iosmptd Fixes Security Vulnerability in smtpd.py
CVE-2024-34083

5.4MEDIUM

Key Information:

Vendor: Aio-libs
Status: AiOSmtpd
Vendor: CVE Published:; 18 May 2024

What is CVE-2024-34083?

aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue.

Affected Version(s)

aiosmtpd < 1.4.6

References

https://github.com/aio-libs/aiosmtpd/security/advisories/...

x_refsource_CONFIRM

https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd2...

x_refsource_MISC

https://nostarttls.secvuln.info

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 18, 2024
Vulnerability Reserved
Apr 30, 2024

Aio-libs

What is CVE-2024-34083?

Affected Version(s)

References

CVSS V3.1

Timeline