Vulnerability Details CVE-2019-20790
OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 45.4%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 6.8
References
- https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5/
- https://sourceforge.net/p/opendmarc/tickets/235/
- https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
- https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5/
- https://sourceforge.net/p/opendmarc/tickets/235/
- https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
Products affected by CVE-2019-20790
-
cpe:2.3:a:pypolicyd-spf_project:pypolicyd-spf:2.0.2
-
cpe:2.3:a:trusteddomain:opendmarc:1.3.0
-
cpe:2.3:a:trusteddomain:opendmarc:1.3.1
-
cpe:2.3:a:trusteddomain:opendmarc:1.3.2
-
cpe:2.3:a:trusteddomain:opendmarc:1.4.0
-
cpe:2.3:o:fedoraproject:fedora:33
-
cpe:2.3:o:fedoraproject:fedora:34