CVE-2023-36632
CVE Details
Visit the official vulnerability details page for CVE-2023-36632 to learn more.
Initial Publication
10/25/2024
Last Update
12/16/2024
Third Party Dependency
python
NIST CVE Summary
The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.
CVE Severity
Our Official Summary
This vulnerability in email.utils.parseaddr function in Python through 3.11.4 can be triggered through crafted input which will lead to infinite recursion error. This error doesn't introduce security risks like unauthorized access, code execution, or other security risks. Therefore, it is a performance or input handling limitation, not a security vulnerability according to the vendor.
The risk scenario is low for the following reasons: These images does not allow arbitrary code execution and this vulnerability cannot be exploited remotely. There are no known reports of exploitation from the 3rd party vendors; and these images are not accessible directly for an attacker to send crafted input. We will upgrade the images when the fixes become available from the vendors.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.15 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.11 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.10 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.8 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.5 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.4 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.5.10, 4.5.11, 4.5.15 |
| 12/11/2024 | Official summary revised: This vulnerability in email.utils.parseaddr function in Python through 3.11.4 can be triggered through crafted input which will lead to infinite recursion error. This error doesn't introduce security risks like unauthorized access, code execution, or other security risks. Therefore, it is a performance or input handling limitation, not a security vulnerability according to the vendor.The risk scenario is low for the following reasons: These images does not allow arbitrary code execution and this vulnerability cannot be exploited remotely. There are no known reports of exploitation from the 3rd party vendors; and these images are not accessible directly for an attacker to send crafted input. We will upgrade the images when the fixes become available from the vendors. |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.5.10 |
| 11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |