CVE-2016-0772

MEDIUM

CPython <3.4.5-2.7.12 - Info Disclosure

Title source: llm

Description

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Exploits (1)

exploitdb WORKING POC

by tintinweb · textlocalmultiple

https://www.exploit-db.com/exploits/43500

View Code ZIP pw:eip

References (18)

Core 18

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-1630.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-1627.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-1629.html

Mailing List mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201701-18

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/91225

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-1628.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-1626.html

Patch x_refsource_confirm

https://hg.python.org/cpython/rev/d590114c2394

Various Sources x_refsource_confirm

http://www.splunk.com/view/SP-CAAAPUE

Patch x_refsource_confirm

https://hg.python.org/cpython/rev/b3ce713fb9be

Various Sources x_refsource_confirm

http://www.splunk.com/view/SP-CAAAPSV

Issue Tracking, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=1303647

Release Notes x_refsource_confirm

https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/06/14/9

Release Notes x_refsource_confirm

https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS

Release Notes x_refsource_confirm

https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Scores

CVSS v3 6.5

EPSS 0.0764

EPSS Percentile 91.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Details

CWE

CWE-693

Status published

Products (30)

python/python 3.5.0

python/python 3.5.1

python/python 3.0

python/python 3.0.1

python/python 3.1.0

python/python 3.1.1

python/python 3.1.2

python/python 3.1.3

python/python 3.1.4

python/python 3.1.5

... and 20 more

Published Sep 02, 2016

Tracked Since Feb 18, 2026