{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-20T21:47:09Z",
  "bugzilla" : {
    "description" : "cpython: POP3 command injection in user-controlled commands",
    "id" : "2431373",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2431373"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-77",
  "details" : [ "The poplib module, when passed a user-controlled command, can have\nadditional commands injected using newlines. Mitigation rejects commands\ncontaining control characters.", "A flaw was found in the poplib module in the Python standard library. The poplib module does not reject control characters, such as newlines, in user-controlled input passed to POP3 commands. This issue allows an attacker to inject additional commands to be executed in the POP3 server." ],
  "statement" : "To exploit this issue, an attacker needs to have the privileges required to send malicious input to an application that sends POP3 commands to a server. Additionally, this flaw can allow attackers to manipulate the state of the mailbox (e.g., delete emails) and to potentially read metadata or specific email content, but it does not allow arbitrary code execution or OS command injection. Due to these reasons, this issue has been rated with a moderate severity.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-03-17T00:00:00Z",
    "advisory" : "RHSA-2026:4713",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "python3.12-0:3.12.12-3.el10_1.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5315",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "python3.12-0:3.12.9-2.el10_0.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6 Extended Lifecycle Support  - EXTENSION",
    "release_date" : "2026-03-30T00:00:00Z",
    "advisory" : "RHSA-2026:6007",
    "cpe" : "cpe:/o:redhat:rhel_els:6",
    "package" : "python-0:2.6.6-70.el6_10.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5393",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "python-0:2.7.5-94.el7_9.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2026-04-02T00:00:00Z",
    "advisory" : "RHSA-2026:6464",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "python3-0:3.6.8-21.el7_9.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-05T00:00:00Z",
    "advisory" : "RHSA-2026:2128",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python3-0:3.6.8-73.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-03-12T00:00:00Z",
    "advisory" : "RHSA-2026:4463",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python3.12-0:3.12.12-3.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-03-12T00:00:00Z",
    "advisory" : "RHSA-2026:4473",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python3.11-0:3.11.13-5.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-05T00:00:00Z",
    "advisory" : "RHSA-2026:2128",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "python3-0:3.6.8-73.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5216",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.2",
    "package" : "python3-0:3.6.8-24.el8_2.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5221",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4",
    "package" : "python3-0:3.6.8-39.el8_4.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5221",
    "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4",
    "package" : "python3-0:3.6.8-39.el8_4.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5215",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.6",
    "package" : "python3-0:3.6.8-47.el8_6.11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5215",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.6",
    "package" : "python3-0:3.6.8-47.el8_6.11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5215",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.6",
    "package" : "python3-0:3.6.8-47.el8_6.11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-03-19T00:00:00Z",
    "advisory" : "RHSA-2026:5152",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.8",
    "package" : "python3.11-0:3.11.2-2.el8_8.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-03-30T00:00:00Z",
    "advisory" : "RHSA-2026:6008",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.8",
    "package" : "python3-0:3.6.8-51.el8_8.13"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-03-19T00:00:00Z",
    "advisory" : "RHSA-2026:5152",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.8",
    "package" : "python3.11-0:3.11.2-2.el8_8.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-03-30T00:00:00Z",
    "advisory" : "RHSA-2026:6008",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.8",
    "package" : "python3-0:3.6.8-51.el8_8.13"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-10T00:00:00Z",
    "advisory" : "RHSA-2026:4165",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.12-0:3.12.12-4.el9_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-10T00:00:00Z",
    "advisory" : "RHSA-2026:4168",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.9-0:3.9.25-3.el9_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-10T00:00:00Z",
    "advisory" : "RHSA-2026:4216",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.11-0:3.11.13-5.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-03-10T00:00:00Z",
    "advisory" : "RHSA-2026:4168",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "python3.9-0:3.9.25-3.el9_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5219",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "python3.9-0:3.9.10-4.el9_0.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5223",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "python3.11-0:3.11.2-2.el9_2.10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5225",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "python3.9-0:3.9.16-1.el9_2.12"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5226",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "python3.9-0:3.9.18-3.el9_4.11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5399",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "python3.12-0:3.12.1-4.el9_4.11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-03-31T00:00:00Z",
    "advisory" : "RHSA-2026:6253",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "python3.11-0:3.11.7-1.el9_4.11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-03-17T00:00:00Z",
    "advisory" : "RHSA-2026:4746",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "python3.12-0:3.12.9-1.el9_6.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-03-23T00:00:00Z",
    "advisory" : "RHSA-2026:5218",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "python3.9-0:3.9.21-2.el9_6.4"
  }, {
    "product_name" : "Red Hat Ceph Storage 8",
    "release_date" : "2026-03-24T00:00:00Z",
    "advisory" : "RHSA-2026:5606",
    "cpe" : "cpe:/a:redhat:ceph_storage:8::el9",
    "package" : "rhceph/rhceph-8-rhel9:sha256:1160569002c25d3d349bbe41b57eeffade438853d3419edca01813227440f414"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-03-18T00:00:00Z",
    "advisory" : "RHSA-2026:4943",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/cds-rhel9:sha256:200c27e9b396276bd505c6b41127ac5eb1d94d620172cb818ae733f2a21ac524"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-03-18T00:00:00Z",
    "advisory" : "RHSA-2026:4943",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/haproxy-rhel9:sha256:d98fd3fe5f5f9acd0efae7db19b61b864be1eb2fbe2586a1b6be2429fa2cc7a3"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-03-18T00:00:00Z",
    "advisory" : "RHSA-2026:4943",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/installer-rhel9:sha256:2c50c87906a1abebf427a70f401c409f1258cb55d2096f517db870ec991cfd7f"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-03-18T00:00:00Z",
    "advisory" : "RHSA-2026:4943",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/rhua-rhel9:sha256:5f1fbf66fb349a7baf066a1216d39989c3b89f18ec5108b96d9643baf4856778"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "python3.14",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python36:3.6/python36",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python39-devel:3.9/python39",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "python3.14",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-aws-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-azure-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-gcp-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Not affected",
    "package_name" : "devspaces/code-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Not affected",
    "package_name" : "devspaces/pluginregistry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Will not fix",
    "package_name" : "devspaces-tech-preview/idea-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-15367\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-15367\nhttps://github.com/python/cpython/issues/143923\nhttps://github.com/python/cpython/pull/143924\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/" ],
  "name" : "CVE-2025-15367",
  "mitigation" : {
    "value" : "To mitigate this vulnerability, ensure that no data passed to the poplib module contains newline or carriage return characters.",
    "lang" : "en:us"
  },
  "csaw" : false
}