{"id":"CVE-2019-20790","details":"OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.","modified":"2026-04-09T06:40:39.863697Z","published":"2020-04-27T14:15:11.127Z","related":["MGASA-2021-0462"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5/"},{"type":"ADVISORY","url":"https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf"},{"type":"EVIDENCE","url":"https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816"},{"type":"EVIDENCE","url":"https://sourceforge.net/p/opendmarc/tickets/235/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/trusteddomainproject/opendmarc","events":[{"introduced":"28c12f4e2b740a1556ccee0907b924e4c970759d"},{"last_affected":"0d65077648569076c103b73f30ca86c14e1811a5"},{"introduced":"0"},{"last_affected":"a29adab78ea9b6625066fdc482eae0ec6aa19ca6"}],"database_specific":{"versions":[{"introduced":"1.3.0"},{"last_affected":"1.3.2"},{"introduced":"0"},{"last_affected":"1.4.0"}]}}],"versions":["rel-opendmarc-1-3-0","rel-opendmarc-1-3-1","rel-opendmarc-1-3-1-Beta0","rel-opendmarc-1-3-1-Beta1","rel-opendmarc-1-3-2","rel-opendmarc-1-4-0","rel-opendmarc-1-4-0-Beta0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20790.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}