NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. Applications should instead use the or class. NOTE: is categorized as a Legacy API in the documentation of the Python email package. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. ** DISPUTED ** The legacy function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.) Data is limited in size to the amount that will fit in the buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. It primarily affects servers (such as HTTP servers) that use TLS client authentication. The vulnerabilities are implied based on the software and version. Note: the device may not be impacted by all of these issues.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |