Advisories for Pypi/Emailproxy package

2023

Expired tokens can be renewed without validating the account password

Impact In versions of the proxy from 2022-09-05 onwards (since 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f), expired authorisation tokens could be renewed automatically without checking their validity against the original account configuration (i.e., the password that was set up when first configuring the account). An attacker with knowledge of valid account addresses and careful timing (i.e., attempting to log in during a period from 10 minutes prior to the token expiry time, but before a …