{"id":"PYSEC-2023-82","details":"Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates. This issue was patched in version 3.5.0.","aliases":["CVE-2023-33185","GHSA-qg36-9jxh-fj25"],"modified":"2023-11-08T04:12:39.443618Z","published":"2023-05-26T21:15:00Z","references":[{"type":"WEB","url":"https://github.com/django-ses/django-ses/blob/3d627067935876487f9938310d5e1fbb249a7778/CVE/001-cert-url-signature-verification.md"},{"type":"FIX","url":"https://github.com/django-ses/django-ses/commit/b71b5f413293a13997b6e6314086cb9c22629795"},{"type":"ADVISORY","url":"https://github.com/django-ses/django-ses/security/advisories/GHSA-qg36-9jxh-fj25"}],"affected":[{"package":{"name":"django-ses","ecosystem":"PyPI","purl":"pkg:pypi/django-ses"},"ranges":[{"type":"GIT","repo":"https://github.com/django-ses/django-ses","events":[{"introduced":"0"},{"fixed":"b71b5f413293a13997b6e6314086cb9c22629795"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.5.0"}]}],"versions":["0.1","0.2","0.3.0","0.4.0","0.4.1","0.6.0","0.7.0","0.7.1","0.8.0","0.8.1","0.8.10","0.8.11","0.8.12","0.8.13","0.8.14","0.8.2","0.8.3","0.8.3.1","0.8.4","0.8.5","0.8.6","0.8.7","0.8.8","0.8.9","1.0.0","1.0.1","1.0.2","1.0.3","2.0.0","2.1.0","2.1.1","2.2.0","2.2.1","2.2.2","2.3.0","2.3.1","2.4.0","2.5.0","2.6.0","2.6.1","3.0.0","3.0.1","3.1.0","3.1.2","3.2.0","3.2.1","3.2.2","3.3.0","3.4.0","3.4.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django-ses/PYSEC-2023-82.yaml"}}],"schema_version":"1.7.3"}