Python poplib Module Command Injection Vulnerability

A command injection vulnerability has been identified in the Python poplib module. When a user-controlled command is sent, additional commands can be injected by including newlines. This issue arises because the module does not properly sanitize input before processing it. The vulnerability affects the standard library poplib module in CPython.

Impact

Exploitation of this vulnerability allows for command injection, where an attacker can inject additional commands that the poplib module will execute.

Reproduction

To reproduce this vulnerability, send a command to the poplib module that includes newline characters. The module will process the command and execute any additional commands that were injected via the newlines. This can be done by creating a POP3 client and sending a user command that violates the RFC by including control characters.

Remediation

The vulnerability has been addressed by updating the poplib module to reject commands containing control characters. Users should ensure they are using a version of Python that includes this fix.