CVE-2023-36632

Updated: 2023-11-07 20:23:54.462167

Description:

The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x HIGH 7.5

Status

OS name Project name Version Score Severity Status Errata Last updated
AlmaLinux 9.2 ESU python3 3.9.16 7.5 HIGH Ignored 2023-11-13 13:07:23
CentOS 6 ELS python 2.6.6 7.5 HIGH Ignored 2023-07-13 09:09:25
CentOS 7 ELS python3 3.6.8 7.5 HIGH Ignored 2023-10-16 14:08:04
CentOS 7 ELS python 2.7.5 7.5 HIGH Ignored 2023-10-16 09:30:05
CentOS 8.4 ELS python2 2.7.18 7.5 HIGH Ignored 2023-07-13 09:09:25
CentOS 8.4 ELS python3 3.6.8 7.5 HIGH Ignored 2023-07-13 09:09:24
CentOS 8.5 ELS python3 3.6.8 7.5 HIGH Ignored 2023-07-13 09:09:24
CentOS 8.5 ELS python2 2.7.18 7.5 HIGH Ignored 2023-07-13 09:09:24
CloudLinux 6 ELS python 2.6.6 7.5 HIGH Ignored 2023-07-13 09:09:25
Oracle Linux 6 ELS python 2.6.6 7.5 HIGH Ignored 2023-07-13 09:09:25

Statement

We've reasoned not to fix this CVE since project's upstream does not consider it as a bug or vulnerability. See https://github.com/python/cpython/issues/103800 for additional information.