CVE-2019-16056

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Published: Sep 6, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-16056
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
python / python	-	2.7.16.x
python / python	3.5.0	3.5.7.x
python / python	3.6.0	3.6.9.x
python / python	3.7.0	3.7.4.x
python / python	3.0.0	3.0.1.x
python / python	3.1.0	3.1.5.x
python / python	3.2.0	3.2.6.x
python / python	3.3.0	3.3.7.x
python / python	3.4.0	3.4.10.x
fedoraproject / fedora	29	29.x
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	19.04	19.04.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	12.04	12.04.x
redhat / software_collections	1.0	1.0.x
oracle / solaris	11	11.x
oracle / peoplesoft_enterprise_peopletools	8.57	8.57.x
oracle / communications_operations_monitor	3.4	3.4.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / communications_operations_monitor	4.1	4.3.x
oracle / zfs_storage_appliance_kit	8.8	8.8.x
opensuse / leap	15.0	15.0.x
opensuse / leap	15.1	15.1.x

Vulnerability Database

289,599

CVE-2019-16056