GHSA-pr2m-px7j-xg65: aiosmtpd vulnerable to SMTP smuggling

Package

pip aiosmtpd (pip)

Affected versions

< 1.4.5

Patched versions

1.4.5

Description

Summary

aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue also existed in other SMTP software like Postfix (https://www.postfix.org/smtp-smuggling.html).

Details

Detailed information on SMTP smuggling can be found in the full blog post (https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/) or on the Postfix homepage (https://www.postfix.org/smtp-smuggling.html). (and soon on the official website https://smtpsmuggling.com/)

Impact

With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances.

References

• GHSA-pr2m-px7j-xg65
• https://nvd.nist.gov/vuln/detail/CVE-2024-27305
• aio-libs/aiosmtpd@24b6c79
• https://www.postfix.org/smtp-smuggling.html

Dreamsorcerer published to aio-libs/aiosmtpd

Mar 12, 2024

Published by the National Vulnerability Database

Mar 12, 2024

Published to the GitHub Advisory Database

Mar 13, 2024

Reviewed

Mar 13, 2024

Last updated

Mar 13, 2024