CVE-2024-6923
Published: August 2, 2024Last modified: October 1, 2025
Description
There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.5 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | LOW |
| Integrity impact | LOW |
| Availability impact | LOW |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | python3 | Fixed (3.11.10-r1) |
| Stream | python3 | Fixed (3.12.5-r0) | |
| Hardened Containers | 23 LTS | python3 | Fixed (3.11.10-r1) |
| Stream | python3 | Fixed (3.12.5-r0) |
References
- http://www.openwall.com/lists/oss-security/2024/08/01/3
- http://www.openwall.com/lists/oss-security/2024/08/02/2
- https://github.com/python/cpython/commit/06f28dc236708f72871c64d4bc4b4ea144c50147
- https://github.com/python/cpython/commit/097633981879b3c9de9a1dd120d3aa585ecc2384
- https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7
- https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0
- https://github.com/python/cpython/commit/b158a76ce094897c870fb6b3de62887b7ccc33f1
- https://github.com/python/cpython/commit/f7be505d137a22528cb0fc004422c0081d5d90e6
- https://github.com/python/cpython/commit/f7c0f09e69e950cf3c5ada9dbde93898eb975533
- https://github.com/python/cpython/issues/121650
- https://github.com/python/cpython/pull/122233
- https://lists.debian.org/debian-lts-announce/2025/01/msg00005.html
- https://mail.python.org/archives/list/[email protected]/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/
- https://security.netapp.com/advisory/ntap-20240926-0003/