VYPR
Get started
← All advisories
Medium severity5.4NVD Advisory· Published May 18, 2024· Updated Apr 15, 2026

CVE-2024-34083

CVE-2024-34083

Description

aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aiosmtpdPyPI
< 1.4.61.4.6

Patches

1
b3a4a2c6ecfd

starttls: Clear unencrypted commands from buffer (#380)

https://github.com/aio-libs/aiosmtpdArusekkMay 18, 2024via ghsa
commit
2 files changed · +7 0
  • aiosmtpd/docs/NEWS.rst+4 0 modified
    @@ -4,6 +4,10 @@
 
 .. towncrier release notes start
 
+1.4.6 (2024-05-06)
+==================
+
+* STARTTLS is now fully enforced if used.
 
 1.4.5 (2024-03-02)
 ==================
  • aiosmtpd/smtp.py+3 0 modified
    @@ -504,6 +504,9 @@ def connection_made(self, transport: asyncio.BaseTransport) -> None:
             self._reader._transport = transport  # type: ignore[attr-defined]
             self._writer._transport = transport  # type: ignore[attr-defined]
             self.transport = transport
+            # Discard any leftover unencrypted data
+            # See https://tools.ietf.org/html/rfc3207#page-7
+            self._reader._buffer.clear()  # type: ignore[attr-defined]
             # Do SSL certificate checking as rfc3207 part 4.1 says.  Why is
             # _extra a protected attribute?
             assert self._tls_protocol is not None

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.