MEDIUM 5.4

GHSA-wgjv-9j3q-jhg8

aiosmtpd STARTTLS unencrypted commands injection

Details

### Summary Servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a MitM attack.

### References * [NO STARTTLS: Similar vulnerabilities discovered by previous researchers.](https://nostarttls.secvuln.info/)

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiosmtpd

Introduced in: 0 Fixed in: 1.4.6

Fix pip install --upgrade 'aiosmtpd>=1.4.6'

References

https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-34083 [ADVISORY]
https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda [WEB]
https://github.com/aio-libs/aiosmtpd [PACKAGE]
https://nostarttls.secvuln.info [WEB]