CVE-2024-6923 — Code Injection in Software Foundation Cpython

CWE-94 — Code Injection12 documents8 sources

Severity

5.5MEDIUMNVD

OSV5.3

EPSS

0.2%

top 53.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython

Timeline

PublishedAug 1

Latest updateNov 19

Description

There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LExploitability: 2.1 | Impact: 3.4

Affected Packages1 packages

▶CVEListV5python_software_foundation/cpython3.9.0 — 3.9.20+5

🔴Vulnerability Details

OSV

python2.7 vulnerabilities↗2024-11-19

▶

OSV

python3.10, python3.12, python3.8 vulnerabilities↗2024-09-16

▶

GHSA

GHSA-87qc-q3w7-7m8w: There is a MEDIUM severity vulnerability affecting CPython↗2024-08-01

▶

OSV

CVE-2024-6923: There is a MEDIUM severity vulnerability affecting CPython↗2024-08-01

▶

OSV

CVE-2024-6923: There is a MEDIUM severity vulnerability affecting CPython↗2024-08-01

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2024-11-19

▶

Ubuntu

Python vulnerabilities↗2024-09-16

▶

Microsoft

Email header injection due to unquoted newlines↗2024-08-13

▶

Red Hat

cpython: python: email module doesn't properly quotes newlines in email headers, allowing header injection↗2024-08-01

▶

Debian

CVE-2024-6923: pypy3 - There is a MEDIUM severity vulnerability affecting CPython. The email module d...↗2024

▶