maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds.
References
Configurations
History
17 Mar 2023, 16:20
Type | Values Removed | Values Added |
---|---|---|
CWE | ||
First Time |
Maddy Project maddy
Maddy Project |
|
References | (MISC) https://github.com/foxcpp/maddy/releases/tag/v0.6.3 - Release Notes | |
References | (MISC) https://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399a - Patch | |
References | (MISC) https://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9c - Patch | |
References | (MISC) https://github.com/foxcpp/maddy/security/advisories/GHSA-4g76-w3xw-2x6w - Patch, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CPE | cpe:2.3:a:maddy_project:maddy:*:*:*:*:*:*:*:* |
13 Mar 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-03-13 22:15
Updated : 2023-03-17 16:20
NVD link : CVE-2023-27582
Mitre link : CVE-2023-27582
JSON object : View
Products Affected
maddy_project
- maddy
CWE
CWE-287
Improper Authentication