CVE-2020-12272 - log back

CVE-2020-12272 edited at 19 May 2021 11:16:39
Description
- OpenDMARC through 1.3.2 and 1.4.x before 1.4.1 allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.
+ OpenDMARC before 1.4.1 allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.
OpenDMARC has added checking to validate that the domain element in both SPF and DKIM header fields being inspected argument contains only valid domain name characters. This has been fixed as of OpenDMARC 1.4.1 (March 2021).
CVE-2020-12272 edited at 07 May 2021 16:59:06
Description
- OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.
+ OpenDMARC through 1.3.2 and 1.4.x before 1.4.1 allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.
OpenDMARC has added checking to validate that the domain element in both SPF and DKIM header fields being inspected argument contains only valid domain name characters. This has been fixed as of OpenDMARC 1.4.1 (March 2021).
CVE-2020-12272 edited at 21 Mar 2021 16:40:00
Description
OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.
+
+ OpenDMARC has added checking to validate that the domain element in both SPF and DKIM header fields being inspected argument contains only valid domain name characters. This has been fixed as of OpenDMARC 1.4.1 (March 2021).
References
+ https://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2020-12272
+ https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
https://sourceforge.net/p/opendmarc/tickets/237/
- https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
+ https://github.com/trusteddomainproject/OpenDMARC/commit/f3a9a9d4edfaa05102292727d021683f58aa4b6e
CVE-2020-12272 edited at 21 Dec 2020 13:02:42
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Content spoofing
Description
+ OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.
References
+ https://sourceforge.net/p/opendmarc/tickets/237/
+ https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
Notes
CVE-2020-12272 created at 21 Dec 2020 13:00:43