CVE-2016-0772

6.5 MEDIUM

Published: September 02, 2016 Modified: May 06, 2026

Description

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-1626.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-1627.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-1628.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-1629.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-1630.html

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2016/06/14/9

Source: secalert@redhat.com

Mailing List

http://www.securityfocus.com/bid/91225

Source: secalert@redhat.com

http://www.splunk.com/view/SP-CAAAPSV

Source: secalert@redhat.com

http://www.splunk.com/view/SP-CAAAPUE

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1303647

Source: secalert@redhat.com

Issue Tracking Third Party Advisory

https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5

Source: secalert@redhat.com

Release Notes

https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2

Source: secalert@redhat.com

Release Notes

https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS

Source: secalert@redhat.com

Release Notes

https://hg.python.org/cpython/rev/b3ce713fb9be

Source: secalert@redhat.com

Patch

https://hg.python.org/cpython/rev/d590114c2394

Source: secalert@redhat.com

Patch

https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html

Source: secalert@redhat.com

https://security.gentoo.org/glsa/201701-18

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2016-1626.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2016-1627.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2016-1628.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2016-1629.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2016-1630.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2016/06/14/9

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

http://www.securityfocus.com/bid/91225

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.splunk.com/view/SP-CAAAPSV

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.splunk.com/view/SP-CAAAPUE

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=1303647

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking Third Party Advisory

https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://hg.python.org/cpython/rev/b3ce713fb9be

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://hg.python.org/cpython/rev/d590114c2394

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/201701-18

Source: af854a3a-2127-422b-91ae-364da2661108

36 reference(s) from NVD

Quick Stats

CVSS v3 Score

6.5 / 10.0

EPSS (Exploit Probability)

7.6%

92th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-693

Affected Vendors

python

Related CVEs

CVE-2026-8086 5.3

CVE-2026-8084 3.3

CVE-2026-8083 7.3

CVE-2026-44742 7.2

CVE-2026-44244 7.8