CVE-2024-27305
MEDIUMaiosmtpd <1.4.5 - SMTP Smuggling Sender Spoofing
Title source: manualDescription
aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
Patch x_refsource_misc
https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
Product x_refsource_misc
https://www.postfix.org/smtp-smuggling.html
Scores
CVSS v3
5.3
EPSS
0.0037
EPSS Percentile
28.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-345
Status
published
Products (2)
aio-libs/aiosmtpd
< 1.4.5
pypi/aiosmtpd
0 - 1.4.5PyPI
Published
Mar 12, 2024
Tracked Since
Feb 18, 2026