CVE-2023-27043: 
NixOS vulnerability analysis and mitigation

CVE-2023-27043 affects the email module in Python versions through 2.7.18 and 3.0 through 3.11.3. The vulnerability was discovered on March 24, 2023, and publicly disclosed on April 19, 2023. The vulnerability exists in the email/_parseaddr.py component where the module incorrectly parses email addresses containing special characters, leading to incorrect identification of the addr-spec value in RFC2822 headers (Python Security, NVD).

The vulnerability occurs in the email module's parsing functionality where it incorrectly handles email addresses containing special characters. When parsing RFC2822 headers, the wrong portion is identified as the value of the addr-spec. The issue specifically affects the getaddresses and parseaddr functions from the email.utils module. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability can be exploited to bypass protection mechanisms that rely on email address verification. In applications where access is granted only after verifying receipt of email to a specific domain (e.g., only @company.example.com addresses may be used for signup), an attacker could bypass these restrictions. This could allow attackers to send messages from email addresses that would otherwise be rejected (NVD, GitHub Issue).

The issue has been addressed in various Python versions through security updates. For systems that cannot immediately update, two mitigation methods are available: 1) Setting the PYTHONEMAILDISABLESTRICTADDR_PARSING environment variable to control parsing behavior, and 2) Using a configuration file at /etc/python/email.cfg to manage parsing behavior. The fixed versions include patches that implement stricter parsing of email addresses (Red Hat).