Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2016-0772 — Protection Mechanism Failure in Python
Severity
6.5MEDIUMNVD
EPSS
5.8%
top 9.50%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedSep 2
Latest updateMay 14
Description
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
CVSS vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:NExploitability: 2.2 | Impact: 4.2