CVE-2023-27582

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions maddy versions 0.2.0 through 0.6.2

Description The issue allows for a full authentication bypass if a SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username.

Recommendations For versions 0.2.0 through 0.6.2, upgrade to version 0.6.3 to resolve the issue. As a temporary workaround, consider disabling the use of the PLAIN authentication mechanisms until a patch is available. Restrict access to the SASL authorization username to minimize the risk of exploitation.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-305

Related Identifiers

CVE-2023-27582

GHSA-4G76-W3XW-2X6W

GO-2023-1630

Affected Products

Maddy

CVE-2023-27582

Weakness Enumeration

Related Identifiers

Affected Products

References · 10