CVE-2023-27582
CRITICAL9.1EPSS 0.57%Full authentication bypass if SASL authorization username is specified
發布日:2023/3/14修改日:2024/8/20
描述
### Impact maddy 0.2.0 - 0.6.2 allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified authorization username, it is accepted as is after checking the credentials for the authentication username. ### Patches maddy 0.6.3 includes the fix for the bug. ### Workarounds There is no way to fix the issue without upgrading. ### References * Commit that introduced the vulnerable code: https://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399a * Fix: https://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9c
受影響套件(2)
- Go/github.com/foxcpp/maddy>= 0.2.0, < 0.6.3
- Go/github.com/foxcpp/maddy>= 0.2.0, < 0.6.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-27582
- PATCHhttps://github.com/foxcpp/maddy
- WEBhttps://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399a
- WEBhttps://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9c
- WEBhttps://github.com/foxcpp/maddy/releases/tag/v0.6.3
- WEBhttps://github.com/foxcpp/maddy/security/advisories/GHSA-4g76-w3xw-2x6w