[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-51747: SMTP smuggling in Apache James
From:       Benoit Tellier <btellier () apache ! org>
Date:       2024-02-27 12:28:33
Message-ID: caae87f6-2f72-9701-fc2a-97e716c5edbd () apache ! org
[Download RAW message or body]

Severity: important

Affected versions:

- Apache James server through 3.7.4
- Apache James server 3.8 through 3.8.0

Description:

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.

A lenient behaviour in line delimiter handling might create a difference of interpretation \
between the sender and the receiver which can be exploited by an attacker to forge an SMTP \
envelop, allowing for instance to bypass SPF checks.

The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.

We recommend James users to upgrade to non vulnerable versions.

Credit:

Benoit TELLIER (coordinator)

References:

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://postfix.org/smtp-smuggling.html
https://james.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-51747


[prev in list] [next in list] [prev in thread] [next in thread]