CVE-2019-20790
CRITICALOpenDMARC <= 1.3.2 and 1.4.x - Authentication Bypass via HELO/MAIL FROM Inconsistency
Title source: llmDescription
OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.
References (5)
Core 5
Core References
Technical Description, Third Party Advisory x_refsource_misc
https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
Exploit, Third Party Advisory x_refsource_misc
https://sourceforge.net/p/opendmarc/tickets/235/
Exploit, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5/
Scores
CVSS v3
9.8
EPSS
0.0266
EPSS Percentile
83.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-290
Status
published
Products (5)
fedoraproject/fedora
33
fedoraproject/fedora
34
pypolicyd-spf_project/pypolicyd-spf
2.0.2
trusteddomain/opendmarc
1.4.0
trusteddomain/opendmarc
1.3.0 - 1.3.2
Published
Apr 27, 2020
Tracked Since
Feb 18, 2026