CVE-2023-36632

The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.python.org/3/library/email.html	Product
https://docs.python.org/3/library/email.utils.html	Product
https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py	Product
https://github.com/python/cpython/issues/103800	Exploit Issue Tracking
https://docs.python.org/3/library/email.html	Product
https://docs.python.org/3/library/email.utils.html	Product
https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py	Product
https://github.com/python/cpython/issues/103800	Exploit Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-06-25 18:15

Updated : 2024-11-21 08:10

NVD link : CVE-2023-36632

Mitre link : CVE-2023-36632

CVE.ORG link : CVE-2023-36632

JSON object : View

Products Affected

python

python

CWE

CWE-674

Uncontrolled Recursion

{"id": "CVE-2023-36632", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-06-25T18:15:09.313", "references": [{"url": "https://docs.python.org/3/library/email.html", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://docs.python.org/3/library/email.utils.html", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/python/cpython/issues/103800", "tags": ["Exploit", "Issue Tracking"], "source": "cve@mitre.org"}, {"url": "https://docs.python.org/3/library/email.html", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.python.org/3/library/email.utils.html", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/python/cpython/issues/103800", "tags": ["Exploit", "Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \"RecursionError: maximum recursion depth exceeded while calling a Python object\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code."}], "lastModified": "2024-11-21T08:10:07.813", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBFABA38-746A-451D-A9DB-8AF31A4AE9B3", "versionEndIncluding": "3.11.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}