vulnerability

FreeBSD: Python -- smtplib StartTLS stripping vulnerability (CVE-2016-0772)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:P/I:P/A:N)	Jun 14, 2016	Jul 4, 2016	Oct 30, 2017

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:N)

Published

Jun 14, 2016

Added

Jul 4, 2016

Modified

Oct 30, 2017

Description

Red Hat reports:

A vulnerability in smtplib allowing MITM attacker to perform a
startTLS stripping attack. smtplib does not seem to raise an exception
when the remote end (smtp server) is capable of negotiating starttls but
fails to respond with 220 (ok) to an explicit call of SMTP.starttls().
This may allow a malicious MITM to perform a startTLS stripping attack
if the client code does not explicitly check the response code for startTLS.

Solutions

freebsd-upgrade-package-python27freebsd-upgrade-package-python33freebsd-upgrade-package-python34freebsd-upgrade-package-python35

References

CVE-2016-0772
https://attackerkb.com/topics/CVE-2016-0772
URL-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today