Detections
Analytics

CVE-2016-0772

medium

Description

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

References

https://security.gentoo.org/glsa/201701-18

https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html

https://hg.python.org/cpython/rev/d590114c2394

https://hg.python.org/cpython/rev/b3ce713fb9be

https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS

https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2

https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5

https://bugzilla.redhat.com/show_bug.cgi?id=1303647

http://www.splunk.com/view/SP-CAAAPUE

http://www.splunk.com/view/SP-CAAAPSV

http://www.securityfocus.com/bid/91225

http://www.openwall.com/lists/oss-security/2016/06/14/9

http://rhn.redhat.com/errata/RHSA-2016-1630.html

http://rhn.redhat.com/errata/RHSA-2016-1629.html

http://rhn.redhat.com/errata/RHSA-2016-1628.html

http://rhn.redhat.com/errata/RHSA-2016-1627.html

http://rhn.redhat.com/errata/RHSA-2016-1626.html

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Details

Source: Mitre, NVD

Published: 2016-09-02

Updated: 2019-02-09

Risk Information

CVSS v2

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Severity: Medium