CVE-2024-34083: aiosmtpd STARTTLS unencrypted commands injection

May 20, 2024

Servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a MitM attack.

References

github.com/advisories/GHSA-wgjv-9j3q-jhg8
github.com/aio-libs/aiosmtpd
github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
nostarttls.secvuln.info/
nvd.nist.gov/vuln/detail/CVE-2024-34083

Detect and mitigate CVE-2024-34083 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →