{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-6923","assignerOrgId":"28c92f92-d60d-412d-b760-e73465c3df22","state":"PUBLISHED","assignerShortName":"PSF","dateReserved":"2024-07-19T15:32:46.458Z","datePublished":"2024-08-01T13:40:11.069Z","dateUpdated":"2025-11-03T22:32:47.018Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["email"],"product":"CPython","vendor":"Python Software Foundation","versions":[{"version":"0","lessThan":"3.8.20","status":"affected","versionType":"python"},{"version":"3.9.0","lessThan":"3.9.20","status":"affected","versionType":"python"},{"version":"3.10.0","lessThan":"3.10.15","status":"affected","versionType":"python"},{"version":"3.11.0","lessThan":"3.11.10","status":"affected","versionType":"python"},{"version":"3.12.0","lessThan":"3.12.5","status":"affected","versionType":"python"},{"version":"3.13.0a1","lessThan":"3.13.0rc2","status":"affected","versionType":"python"}]}],"credits":[{"lang":"en","type":"remediation developer","value":"Petr Viktorin"},{"lang":"en","type":"coordinator","value":"Seth Larson"},{"lang":"en","type":"reporter","value":"John Whitlock"},{"lang":"en","type":"remediation developer","value":"Bas Bloemsaat"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"There is a MEDIUM severity vulnerability affecting CPython.<br><br>The \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized."}],"value":"There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized."}],"providerMetadata":{"orgId":"28c92f92-d60d-412d-b760-e73465c3df22","shortName":"PSF","dateUpdated":"2025-01-31T19:55:06.174Z"},"references":[{"tags":["patch"],"url":"https://github.com/python/cpython/pull/122233"},{"tags":["issue-tracking"],"url":"https://github.com/python/cpython/issues/121650"},{"tags":["vendor-advisory"],"url":"https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/06f28dc236708f72871c64d4bc4b4ea144c50147"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/b158a76ce094897c870fb6b3de62887b7ccc33f1"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/f7be505d137a22528cb0fc004422c0081d5d90e6"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/f7c0f09e69e950cf3c5ada9dbde93898eb975533"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/097633981879b3c9de9a1dd120d3aa585ecc2384"}],"source":{"discovery":"UNKNOWN"},"title":"Email header injection due to unquoted newlines","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-94","lang":"en","description":"CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}],"affected":[{"vendor":"python","product":"cpython","cpes":["cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThanOrEqual":"3.13.0rc2","versionType":"python"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L","integrityImpact":"LOW","userInteraction":"REQUIRED","attackComplexity":"LOW","availabilityImpact":"LOW","privilegesRequired":"LOW","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-08-01T18:15:02.857863Z","id":"CVE-2024-6923","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-08-01T18:18:12.965Z"}},{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2024/08/01/3"},{"url":"http://www.openwall.com/lists/oss-security/2024/08/02/2"},{"url":"https://security.netapp.com/advisory/ntap-20240926-0003/"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00005.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T22:32:47.018Z"}}]}}