CVE-2019-16056

Description

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

7.5

CVSS

Severity: High

CVSS 3.1 •

CVSS 2.0 •

EPSS 0.62%

Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory ubuntu.com Vendor Advisory ubuntu.com Vendor Advisory opensuse.org Vendor Advisory opensuse.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory opensuse.org Vendor Advisory redhat.com Vendor Advisory opensuse.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory redhat.com Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory opensuse.org Vendor Advisory python.org

Affected: n/a n/a

References

Link	Tags
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/	vendor advisory
https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html	third party advisory mailing list
https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html	third party advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/	vendor advisory
https://usn.ubuntu.com/4151-1/	third party advisory vendor advisory
https://usn.ubuntu.com/4151-2/	third party advisory vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html	third party advisory vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html	third party advisory vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QP46PQSUKYPGWTADQ67NOV3BUN6JM34Z/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QASRD4E2G65GGEHYKVHYCXB2XWAGTNL4/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SDQQ56P7ZZR64XV5DUVWNSNXKKEXUG2J/	vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:3725	third party advisory vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html	third party advisory vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/	vendor advisory
https://access.redhat.com/errata/RHSA-2019:3948	third party advisory vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/	vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html	third party advisory vendor advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	third party advisory patch
https://www.oracle.com/security-alerts/cpujul2020.html	third party advisory patch
https://bugs.python.org/issue34155	vendor advisory issue tracking
https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9	patch
https://security.netapp.com/advisory/ntap-20190926-0005/	third party advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html	third party advisory mailing list
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E	mailing list
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html	third party advisory mailing list

Frequently Asked Questions

What is the severity of CVE-2019-16056?: CVE-2019-16056 has been scored as a high severity vulnerability.
How to fix CVE-2019-16056?: To fix CVE-2019-16056, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2019-16056 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2019-16056 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.