CVE-2020-12272 — Authentication Bypass by Spoofing in Opendmarc

CWE-290 — Authentication Bypass by Spoofing9 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.8%

top 25.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trusteddomain Opendmarc Debian Opendmarc Fedoraproject Fedora

Timeline

PublishedApr 27

Latest updateSep 11

Description

OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶Debiantrusteddomain/opendmarc< 1.4.0~beta1+dfsg-4+3

▶Ubuntutrusteddomain/opendmarc< 1.3.2-3ubuntu0.2+2

▶NVDtrusteddomain/opendmarc1.0.0 — 1.3.2+1

▶debiandebian/opendmarc< opendmarc 1.4.0~beta1+dfsg-4 (bookworm)

Also affects: Fedora 33, 34

🔴Vulnerability Details

OSV

opendmarc vulnerabilities↗2023-09-11

▶

GHSA

GHSA-m64q-99pc-qh99: OpenDMARC through 1↗2022-05-24

▶

OSV

CVE-2020-12272: OpenDMARC through 1↗2020-04-27

▶

📋Vendor Advisories

Ubuntu

OpenDMARC vulnerabilities↗2023-09-11

▶

Debian

CVE-2020-12272: opendmarc - OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication resu...↗2020

▶

💬Community

Bugzilla

CVE-2019-20790 CVE-2020-12272 opendmarc: Two vulnerabilities in openDMARC 1.3.2 [epel-all]↗2020-04-27

▶

Bugzilla

CVE-2019-20790 CVE-2020-12272 opendmarc: Two vulnerabilities in openDMARC 1.3.2 [fedora-all]↗2020-04-27

▶

Bugzilla

CVE-2020-12272 CVE-2019-20790 opendmarc: Two vulnerabilities in openDMARC 1.3.2↗2020-04-27

▶