CVE-2019-16056

CWE-20 — Improper Input Validation22 documents9 sources

Severity

7.5HIGH

EPSS

1.2%

top 20.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Communications Operations Monitor Python Python Canonical Ubuntu Linux +7 more

Timeline

PublishedSep 6

Latest updateJul 11

Description

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages12 packages

▶Debianpython2.7< 2.7.17~rc1-1

▶Ubuntupython2.7< 2.7.12-1ubuntu0~16.04.9+2

▶Ubuntupython3.5< 3.5.2-2ubuntu0~16.04.9

▶Ubuntupython3.6< 3.6.8-1~18.04.3

▶Ubuntupython3.4< 3.4.3-1ubuntu1~14.04.7+esm4

Also affects: Debian Linux 8.0, 9.0, Fedora 29, 30, 31, Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 19.04

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-8mcc-mjj5-h77m: An issue was discovered in Python through 2↗2022-05-24

▶

OSV

python2.7, python3.4 vulnerabilities↗2019-10-10

▶

OSV

python2.7, python3.5, python3.6, python3.7 vulnerabilities↗2019-10-09

▶

OSV

CVE-2019-16056: An issue was discovered in Python through 2↗2019-09-06

▶

CVEList

CVE-2019-16056: An issue was discovered in Python through 2↗2019-09-06

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2024-07-11

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: VSP implementing webserver (Python) — CVE-2019-16056↗2020-07-15

▶

Ubuntu

Python vulnerabilities↗2019-10-10

▶

Ubuntu

Python vulnerabilities↗2019-10-09

▶

Debian

CVE-2019-16056: python2.7 - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x throu...↗2019

▶

💬Community

Bugzilla

CVE-2019-16056 python37: python: email.utils.parseaddr wrongly parses email addresses [fedora-rawhide]↗2019-09-10

▶

Bugzilla

CVE-2019-16056 python34: python: email.utils.parseaddr wrongly parses email addresses [epel-all]↗2019-09-09

▶

Bugzilla

CVE-2019-16056 python38: python: email.utils.parseaddr wrongly parses email addresses [fedora-all]↗2019-09-09

▶

Bugzilla

CVE-2019-16056 python34: python: email.utils.parseaddr wrongly parses email addresses [fedora-all]↗2019-09-09

▶

Bugzilla

CVE-2019-16056 python2: python: email.utils.parseaddr wrongly parses email addresses [fedora-all]↗2019-09-09

▶