5.9

CVE-2025-15366

IMAP command injection in user-controlled commands

The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPython Software Foundation
Produkt CPython
Default Statusunaffected
Version 0
Version < 3.15.0a6
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.34% 0.264
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cna@python.org 5.9 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://github.com/python/cpython/issues/143921
https://github.com/python/cpython/pull/143922
https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45
https://github.com/python/cpython/commit/d0921efb665aff26b378f495e5ff84f7e3fe649d
https://github.com/python/cpython/commit/f2cd7ef89aa8a0dcbc7283bbd39548b76f2a736a
https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/
https://github.com/python/cpython/commit/298182272a740ce2016aee2f54acbd0bba1944c1
https://github.com/python/cpython/commit/71926d943c05bde79bd2a866933103541d91b6a2