CVE-2019-20790

OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.

Weakness

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Affected Software

Name	Vendor	Start Version	End Version
Opendmarc	Trusteddomain	1.3.0 (including)	1.3.2 (including)
Opendmarc	Ubuntu	bionic	*
Opendmarc	Ubuntu	eoan	*
Opendmarc	Ubuntu	groovy	*
Opendmarc	Ubuntu	hirsute	*
Opendmarc	Ubuntu	impish	*
Opendmarc	Ubuntu	kinetic	*
Opendmarc	Ubuntu	lunar	*
Opendmarc	Ubuntu	mantic	*
Opendmarc	Ubuntu	trusty	*
Opendmarc	Ubuntu	xenial	*

https://cwe.mitre.org/data/definitions/21.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/459.html
https://cwe.mitre.org/data/definitions/461.html
https://cwe.mitre.org/data/definitions/473.html
https://cwe.mitre.org/data/definitions/476.html
https://cwe.mitre.org/data/definitions/59.html
https://cwe.mitre.org/data/definitions/60.html
https://cwe.mitre.org/data/definitions/667.html
https://cwe.mitre.org/data/definitions/94.html

References

https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5/
https://sourceforge.net/p/opendmarc/tickets/235/
https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-20790
CWE	https://cwe.mitre.org/data/definitions/290.html

Authentication Bypass by Spoofing

Weakness

Affected Software

Related Attack Patterns

References