Vulnerability Description
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Python | 3.5.0 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://rhn.redhat.com/errata/RHSA-2016-1626.html
- http://rhn.redhat.com/errata/RHSA-2016-1627.html
- http://rhn.redhat.com/errata/RHSA-2016-1628.html
- http://rhn.redhat.com/errata/RHSA-2016-1629.html
- http://rhn.redhat.com/errata/RHSA-2016-1630.html
- http://www.openwall.com/lists/oss-security/2016/06/14/9Mailing List
- http://www.securityfocus.com/bid/91225
- http://www.splunk.com/view/SP-CAAAPSV
- http://www.splunk.com/view/SP-CAAAPUE
- https://bugzilla.redhat.com/show_bug.cgi?id=1303647Issue TrackingThird Party Advisory
- https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5Release Notes
- https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2Release Notes
- https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWSRelease Notes
- https://hg.python.org/cpython/rev/b3ce713fb9bePatch
FAQ
What is CVE-2016-0772?
CVE-2016-0772 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypas...
How severe is CVE-2016-0772?
CVE-2016-0772 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-0772?
Check the references section above for vendor advisories and patch information. Affected products include: Python Python.