VDB
CVE-2024-34083
CVE-2024-34083
PUBLISHED
CVSS 5.400000095367432 MEDIUM
aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue.
EPSS 0.08% · 22.8th percentile
Risk Scores
CVSS 3.1
5.400000095367432
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score
0.08%
22.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| aio-libs | aiosmtpd | *, < 1.4.6, < 1.4.6 |
| aio-libs | aiosmtpd | 0, 0, 0 |
| PyPI | aiosmtpd | 0, 0, 0 |
Exploit Intelligence
Timeline
- Jan 21, 1970 Security Advisory
- May 18, 2024 CVE Published
- May 19, 2024 EPSS Score
- May 20, 2024 CVE Updated
- Jun 13, 2024 EPSS Score
- Jul 7, 2024 EPSS Score
- Jul 30, 2024 EPSS Score
- Aug 23, 2024 EPSS Score
- Sep 16, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 10, 2024 EPSS Score
- Nov 2, 2024 EPSS Score
References
- https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 url
- https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda url
- https://nostarttls.secvuln.info url
- https://nvd.nist.gov/vuln/detail/CVE-2024-34083 advisory
- https://github.com/aio-libs/aiosmtpd package