CVE-2019-16056

7.5 HIGH

Authentication Bypass

📋 TL;DR

The Python email module incorrectly parses email addresses containing multiple @ characters, allowing attackers to bypass email validation checks. Applications using Python's email module for From/To header validation are vulnerable to accepting malicious email addresses that should be rejected. This affects Python versions through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4.

💻 Affected Systems

Products:

Python
Applications using Python email module

Versions: Python 2.x through 2.7.16, Python 3.x through 3.5.7, Python 3.6.x through 3.6.9, Python 3.7.x through 3.7.4

Operating Systems: All operating systems running affected Python versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only applications using Python's email.parser or email.utils modules for email address validation are affected. Applications using third-party email libraries may not be vulnerable.

📦 What is this software?

Communications Operations Monitor by Oracle

View all CVEs affecting Communications Operations Monitor →

Communications Operations Monitor by Oracle

View all CVEs affecting Communications Operations Monitor →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Leap by Opensuse

View all CVEs affecting Leap →

Leap by Opensuse

View all CVEs affecting Leap →

Peoplesoft Enterprise Peopletools by Oracle

View all CVEs affecting Peoplesoft Enterprise Peopletools →

Peoplesoft Enterprise Peopletools by Oracle

View all CVEs affecting Peoplesoft Enterprise Peopletools →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Software Collections by Redhat

View all CVEs affecting Software Collections →

Solaris by Oracle

View all CVEs affecting Solaris →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Zfs Storage Appliance Kit by Oracle

View all CVEs affecting Zfs Storage Appliance Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers bypass email-based authentication systems, gain unauthorized access to accounts or systems, or inject malicious content through email validation bypass.

🟠

Likely Case

Email validation bypass allowing spoofed or malicious email addresses to pass through security checks, potentially enabling phishing or spam attacks.

🟢

If Mitigated

Limited impact with proper input validation and email parsing libraries that correctly handle multiple @ characters.

🌐 Internet-Facing: HIGH - Applications processing email from external sources are directly exposed to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal applications using Python email parsing could be exploited through internal email systems or user input.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted email addresses with multiple @ characters to vulnerable applications. Similar to CVE-2019-11340 exploitation patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Python 2.7.17+, 3.5.8+, 3.6.10+, 3.7.5+, 3.8.0+

Vendor Advisory: https://www.python.org/downloads/

Restart Required: Yes

Instructions:

1. Identify Python version with 'python --version'. 2. Upgrade to patched version using system package manager or Python installer. 3. Restart all Python applications and services. 4. Test email parsing functionality.

🔧 Temporary Workarounds

Input validation workaround

all

Implement custom email validation that rejects addresses with multiple @ characters before passing to Python email module

import re
def validate_email(email): return len(re.findall('@', email)) == 1

Use alternative email library

all

Replace Python email module usage with third-party email validation libraries that handle multiple @ characters correctly

pip install email-validator
from email_validator import validate_email, EmailNotValidError

🧯 If You Can't Patch

Implement strict input validation rejecting any email address containing more than one @ character
Use Web Application Firewall (WAF) rules to block email addresses with multiple @ characters

🔍 How to Verify

Check if Vulnerable:

Test email parsing with address containing multiple @ characters: from email.utils import parseaddr; result = parseaddr('test@@example.com'); print(result)

Check Version:

python --version or python -c 'import sys; print(sys.version)'

Verify Fix Applied:

After patching, test same parsing - should return empty or properly parsed result without accepting invalid address

📡 Detection & Monitoring

Log Indicators:

Multiple @ characters in email addresses in application logs
Failed email validation attempts followed by successful authentication

Network Indicators:

Email traffic containing addresses with @@ patterns
Unusual email format patterns in SMTP traffic

SIEM Query:

source="application.logs" AND "@@" AND ("email" OR "From:" OR "To:")

📊 Metadata

CVE ID: CVE-2019-16056

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published: September 6, 2019

Last Updated: November 21, 2024

🔗 References