[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-51747: SMTP smuggling in Apache James
From: Benoit Tellier <btellier () apache ! org>
Date: 2024-02-27 12:28:33
Message-ID: caae87f6-2f72-9701-fc2a-97e716c5edbd () apache ! org
[Download RAW message or body]
Severity: important
Affected versions:
- Apache James server through 3.7.4
- Apache James server 3.8 through 3.8.0
Description:
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.
A lenient behaviour in line delimiter handling might create a difference of interpretation \
between the sender and the receiver which can be exploited by an attacker to forge an SMTP \
envelop, allowing for instance to bypass SPF checks.
The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.
We recommend James users to upgrade to non vulnerable versions.
Credit:
Benoit TELLIER (coordinator)
References:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://postfix.org/smtp-smuggling.html
https://james.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-51747
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic