[prev in list] [next in list] [prev in thread] [next in thread] 

List:       james-user
Subject:    CVE-2023-51747: SMTP smuggling in Apache James
From:       Benoit Tellier <btellier () apache ! org>
Date:       2024-02-27 12:28:33
Message-ID: 5180c151-2a7a-75c2-49e9-797342d8fe5a () apache ! org
[Download RAW message or body]

Severity: important

Affected versions:

- Apache James server through 3.7.4
- Apache James server 3.8 through 3.8.0

Description:

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.

A lenient behaviour in line delimiter handling might create a difference of \
interpretation between the sender and the receiver which can be exploited by an \
attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.

The patch implies enforcement of CRLF as a line delimiter as part of the DATA \
transaction.

We recommend James users to upgrade to non vulnerable versions.

Credit:

Benoit TELLIER (coordinator)

References:

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://postfix.org/smtp-smuggling.html
https://james.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-51747


---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]