Vulnerability Description
maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Maddy Project | Maddy | >= 0.2.0, < 0.6.3 |
Related Weaknesses (CWE)
References
- https://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399aPatch
- https://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9cPatch
- https://github.com/foxcpp/maddy/releases/tag/v0.6.3Release Notes
- https://github.com/foxcpp/maddy/security/advisories/GHSA-4g76-w3xw-2x6wPatchVendor Advisory
- https://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399aPatch
- https://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9cPatch
- https://github.com/foxcpp/maddy/releases/tag/v0.6.3Release Notes
- https://github.com/foxcpp/maddy/security/advisories/GHSA-4g76-w3xw-2x6wPatchVendor Advisory
FAQ
What is CVE-2023-27582?
CVE-2023-27582 is a vulnerability with a CVSS score of 9.1 (CRITICAL). maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using ...
How severe is CVE-2023-27582?
CVE-2023-27582 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-27582?
Check the references section above for vendor advisories and patch information. Affected products include: Maddy Project Maddy.