cve/2023/CVE-2023-33185.md

### [CVE-2023-33185](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33185)
![](https://img.shields.io/static/v1?label=Product&message=django-ses&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%203.5.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-347%3A%20Improper%20Verification%20of%20Cryptographic%20Signature&color=brighgreen)

### Description

Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates. This issue was patched in version 3.5.0.

### POC

#### Reference
- https://github.com/django-ses/django-ses/blob/3d627067935876487f9938310d5e1fbb249a7778/CVE/001-cert-url-signature-verification.md

#### Github
No PoCs found on GitHub currently.
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2023-33185](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33185)`
			`![](https://img.shields.io/static/v1?label=Product&message=django-ses&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%203.5.0%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-347%3A%20Improper%20Verification%20of%20Cryptographic%20Signature&color=brighgreen)`

			`### Description`

			Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates. This issue was patched in version 3.5.0.

			`### POC`

			`#### Reference`
			`- https://github.com/django-ses/django-ses/blob/3d627067935876487f9938310d5e1fbb249a7778/CVE/001-cert-url-signature-verification.md`

			`#### Github`
			`No PoCs found on GitHub currently.`