CVE-2016-0772 Information

Description

The smtplib library in CPython (aka Python) before 2.7.12 3.x before 3.4.5 and 3.5.x before 3.5.2 does not return an error when StartTLS fails which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command aka a \StartTLS stripping attack.\

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Reference

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html http://rhn.redhat.com/errata/RHSA-2016-1626.html http://rhn.redhat.com/errata/RHSA-2016-1627.html http://rhn.redhat.com/errata/RHSA-2016-1628.html http://rhn.redhat.com/errata/RHSA-2016-1629.html http://rhn.redhat.com/errata/RHSA-2016-1630.html http://www.openwall.com/lists/oss-security/2016/06/14/9 http://www.securityfocus.com/bid/91225 http://www.splunk.com/view/SP-CAAAPSV http://www.splunk.com/view/SP-CAAAPUE https://bugzilla.redhat.com/show_bug.cgi?id=1303647 https://docs.python.org/3.4/whatsnew/changelog.htmlpython-3-4-5 https://docs.python.org/3.5/whatsnew/changelog.htmlpython-3-5-2 https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS https://hg.python.org/cpython/rev/b3ce713fb9be https://hg.python.org/cpython/rev/d590114c2394 https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html https://security.gentoo.org/glsa/201701-18

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

HIGH

Base Score

NONE

Base Severity

6.5