6.5

CVE-2016-0772

EPSS 13.18%
Published 02.09.2016 14:59:00
Last modified 12.04.2025 10:46:40
Source secalert@redhat.com
Teams watchlist Login
Open Login

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Affected products Warnungen 0 Metrics 3 CWE 1 References 21

Data is provided by the National Vulnerability Database (NVD)

Python ≫ Python Version3.5.0

Python ≫ Python Version3.5.1

Python ≫ Python Version3.0

Python ≫ Python Version3.0.1

Python ≫ Python Version3.1.0

Python ≫ Python Version3.1.1

Python ≫ Python Version3.1.2

Python ≫ Python Version3.1.3

Python ≫ Python Version3.1.4

Python ≫ Python Version3.1.5

Python ≫ Python Version3.2.0

Python ≫ Python Version3.2.1

Python ≫ Python Version3.2.2

Python ≫ Python Version3.2.3

Python ≫ Python Version3.2.4

Python ≫ Python Version3.2.5

Python ≫ Python Version3.2.6

Python ≫ Python Version3.3.0

Python ≫ Python Version3.3.1

Python ≫ Python Version3.3.2

Python ≫ Python Version3.3.3

Python ≫ Python Version3.3.4

Python ≫ Python Version3.3.5

Python ≫ Python Version3.3.6

Python ≫ Python Version3.4.0

Python ≫ Python Version3.4.1

Python ≫ Python Version3.4.2

Python ≫ Python Version3.4.3

Python ≫ Python Version3.4.4

Python ≫ Python Version <= 2.7.11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	13.18%	0.939

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.2	4.2	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N

CWE-693 Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

http://www.splunk.com/view/SP-CAAAPSV

http://www.splunk.com/view/SP-CAAAPUE

http://rhn.redhat.com/errata/RHSA-2016-1626.html

http://rhn.redhat.com/errata/RHSA-2016-1627.html

http://rhn.redhat.com/errata/RHSA-2016-1628.html

http://rhn.redhat.com/errata/RHSA-2016-1629.html

http://rhn.redhat.com/errata/RHSA-2016-1630.html

http://www.openwall.com/lists/oss-security/2016/06/14/9

Mailing List

http://www.securityfocus.com/bid/91225

https://bugzilla.redhat.com/show_bug.cgi?id=1303647

Third Party Advisory

Issue Tracking

https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5

Release Notes

https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2

Release Notes

https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS

Release Notes

https://hg.python.org/cpython/rev/b3ce713fb9be

Patch

https://hg.python.org/cpython/rev/d590114c2394

Patch

https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html

https://security.gentoo.org/glsa/201701-18

https://nvd.nist.gov/vuln/detail/CVE-2016-0772

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-0772

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-0772

EUVD