Improper Certificate Validation Using imaplib

The Python class imaplib.IMAP4_SSL by default creates an SSL context that does not verify the server's certificate if the context parameter is unset or has a value of None. This means that an attacker can easily impersonate a legitimate server and fool your application into connecting to it.

If you use imaplib.IMAP4_SSL or starttls without a context set, you are opening your application up to a number of security risks, including:

• Man-in-the-middle attacks
• Session hijacking
• Data theft

Example

import imaplib


with imaplib.IMAP4_SSL("domain.org") as imap4:
    imap4.noop()
    imap4.login("user", "password")

Remediation

Set the value of the ssl_context keyword argument to ssl.create_default_context() to ensure the connection is fully verified.

import imaplib
import ssl


with imaplib.IMAP4_SSL(
    "domain.org",
    ssl_context=ssl.create_default_context(),
) as imap4:
    imap4.noop()
    imap4.login("user", "password")

See also

• imaplib.IMAP4_SSL — IMAP4 protocol client
• imaplib.IMAP4.starttls — IMAP4 protocol client
• ssl — TLS_SSL wrapper for socket objects
• CWE-295: Improper Certificate Validation

New in version 0.3.14