CVE-2023-27582

Name of the Vulnerable Software and Affected Versions maddy versions 0.2.0 through 0.6.2

Description The issue allows for a full authentication bypass if a SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username.

Recommendations For versions 0.2.0 through 0.6.2, upgrade to version 0.6.3 to resolve the issue. As a temporary workaround, consider disabling the use of the PLAIN authentication mechanisms until a patch is available. Restrict access to the SASL authorization username to minimize the risk of exploitation.