aiosmtpd STARTTLS unencrypted commands injection

GHSA-wgjv-9j3q-jhg8 · CVE-2024-34083

Published May 20, 2024 · Modified Jun 10, 2026

Description

Summary

Servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a MitM attack.

References

NO STARTTLS: Similar vulnerabilities discovered by previous researchers.

References

WEB https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-34083
WEB https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
PACKAGE https://github.com/aio-libs/aiosmtpd
WEB https://nostarttls.secvuln.info

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes