CVE-2024-34083
Publication date 18 May 2024
Last updated 4 August 2025
Ubuntu priority
Description
aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-aiosmtpd | 25.10 questing |
Needs evaluation
|
| 25.04 plucky |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.4 · Medium
|
| Attack vector | Adjacent |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |