First published: Mon Mar 13 2023(Updated: )
maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Maddy Project Maddy | >=0.2.0<0.6.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-27582 is critical with a severity value of 9.8.
CVE-2023-27582 is a vulnerability in the maddy mail server that allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms.
You can fix CVE-2023-27582 by updating maddy to version 0.6.3 or later.
You can find more information about CVE-2023-27582 on the GitHub page of maddy, including the commits and release tag that address the vulnerability.
The Common Weakness Enumeration (CWE) associated with CVE-2023-27582 are CWE-287 and CWE-305.