{"id":"UBUNTU-CVE-2019-20790","details":"OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.","modified":"2026-01-20T17:08:57.239032Z","published":"2020-04-27T14:15:00Z","upstream":["CVE-2019-20790"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-20790"},{"type":"REPORT","url":"https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816"},{"type":"REPORT","url":"https://sourceforge.net/p/opendmarc/tickets/235/"},{"type":"REPORT","url":"https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2019-20790"}],"affected":[{"package":{"name":"opendmarc","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/opendmarc@1.3.1+dfsg-3ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.3.1+dfsg-2","1.3.1+dfsg-3","1.3.1+dfsg-3ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"libopendmarc-dev","binary_version":"1.3.1+dfsg-3ubuntu0.1~esm1"},{"binary_name":"libopendmarc2","binary_version":"1.3.1+dfsg-3ubuntu0.1~esm1"},{"binary_name":"opendmarc","binary_version":"1.3.1+dfsg-3ubuntu0.1~esm1"},{"binary_name":"rddmarc","binary_version":"1.3.1+dfsg-3ubuntu0.1~esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-20790.json"}},{"package":{"name":"opendmarc","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/opendmarc@1.3.2-3ubuntu0.2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.3.2-2","1.3.2-3","1.3.2-3ubuntu0.1","1.3.2-3ubuntu0.2"],"ecosystem_specific":{"binaries":[{"binary_name":"libopendmarc-dev","binary_version":"1.3.2-3ubuntu0.2"},{"binary_name":"libopendmarc2","binary_version":"1.3.2-3ubuntu0.2"},{"binary_name":"opendmarc","binary_version":"1.3.2-3ubuntu0.2"},{"binary_name":"rddmarc","binary_version":"1.3.2-3ubuntu0.2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-20790.json"}},{"package":{"name":"opendmarc","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/opendmarc@1.3.2-7ubuntu0.1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.3.2-6","1.3.2-7","1.3.2-7ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_name":"libopendmarc-dev","binary_version":"1.3.2-7ubuntu0.1"},{"binary_name":"libopendmarc2","binary_version":"1.3.2-7ubuntu0.1"},{"binary_name":"opendmarc","binary_version":"1.3.2-7ubuntu0.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-20790.json"}},{"package":{"name":"opendmarc","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/opendmarc@1.4.2-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.4.0~beta1+dfsg-6","1.4.1.1-1","1.4.1.1-2","1.4.2-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libopendmarc-dev","binary_version":"1.4.2-1"},{"binary_name":"libopendmarc2","binary_version":"1.4.2-1"},{"binary_name":"opendmarc","binary_version":"1.4.2-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-20790.json"}},{"package":{"name":"opendmarc","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/opendmarc@1.4.2-4.1build2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.4.2-3","1.4.2-4","1.4.2-4.1build1","1.4.2-4.1build2"],"ecosystem_specific":{"binaries":[{"binary_name":"libopendmarc-dev","binary_version":"1.4.2-4.1build2"},{"binary_name":"libopendmarc2t64","binary_version":"1.4.2-4.1build2"},{"binary_name":"opendmarc","binary_version":"1.4.2-4.1build2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-20790.json"}},{"package":{"name":"opendmarc","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/opendmarc@1.4.2-5.1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.4.2-5","1.4.2-5.1"],"ecosystem_specific":{"binaries":[{"binary_name":"libopendmarc-dev","binary_version":"1.4.2-5.1"},{"binary_name":"libopendmarc2t64","binary_version":"1.4.2-5.1"},{"binary_name":"opendmarc","binary_version":"1.4.2-5.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-20790.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}