CVE-2023-27043

Updated: 2025-12-28 04:13:29.515774

Description:

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0.0
CVSS Version 3.x MEDIUM 5.3

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
AlmaLinux 9.2 ESU python3.11 3.11.2 5.3 MEDIUM Released CLSA-2025:1740645491 2025-02-27 22:02:00 A new optional strict parameter has been added to email.utils.parseaddr() and email.utils.getaddress...
AlmaLinux 9.2 ESU python3 3.9.16 5.3 MEDIUM Released CLSA-2024:1711648611 2024-03-28 14:13:09 A new optional strict parameter has been added to email.utils.parseaddr() and email.utils.getaddress...
CentOS 6 ELS python 2.6.6 5.3 MEDIUM Ignored 2023-04-28 11:04:35 Ignored due to low severity
CentOS 7 ELS python 2.7.5 5.3 MEDIUM Released CLSA-2024:1711491407 2024-04-09 11:20:05
CentOS 7 ELS python3 3.6.8 5.3 MEDIUM Ignored 2023-09-19 09:30:15
CentOS 8.4 ELS python3 3.6.8 5.3 MEDIUM Released CLSA-2024:1717693112 2024-06-06 14:35:21
CentOS 8.4 ELS python2 2.7.18 5.3 MEDIUM Released CLSA-2024:1717693264 2024-06-06 14:35:22
CentOS 8.5 ELS python2 2.7.18 5.3 MEDIUM Released CLSA-2024:1717692075 2024-06-06 14:35:20
CentOS 8.5 ELS python3 3.6.8 5.3 MEDIUM Released CLSA-2024:1717692229 2024-06-06 14:35:19
CentOS Stream 8 ELS python2 2.7.18 5.3 MEDIUM Ignored 2024-09-09 12:12:14 Ignored due to low severity
Total: 18