Vulnerability Description
aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcd
- https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
- https://nostarttls.secvuln.info
- https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcd
- https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
- https://nostarttls.secvuln.info
FAQ
What is CVE-2024-34083?
CVE-2024-34083 is a vulnerability with a CVSS score of 5.4 (MEDIUM). aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if ...
How severe is CVE-2024-34083?
CVE-2024-34083 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-34083?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.