CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
56.4%
maddy 0.2.0 - 0.6.2 allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified authorization username, it is accepted as is after checking the credentials for the authentication username.
maddy 0.6.3 includes the fix for the bug.
There is no way to fix the issue without upgrading.
github.com/foxcpp/maddy
github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399a
github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9c
github.com/foxcpp/maddy/releases/tag/v0.6.3
github.com/foxcpp/maddy/security/advisories/GHSA-4g76-w3xw-2x6w
nvd.nist.gov/vuln/detail/CVE-2023-27582