Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.
A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.
The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.
We recommend James users to upgrade to non vulnerable versions.
Metrics
Affected Vendors & Products
References
History
Wed, 13 Nov 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-290 CWE-444 |
|
Metrics |
cvssV3_1
|
ssvc
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-02-27T13:08:01.807Z
Updated: 2024-11-13T19:08:00.859Z
Reserved: 2023-12-22T16:12:33.074Z
Link: CVE-2023-51747
Vulnrichment
Updated: 2024-08-02T22:48:11.163Z
NVD
Status : Awaiting Analysis
Published: 2024-02-27T14:15:27.030
Modified: 2024-11-13T19:35:09.247
Link: CVE-2023-51747
Redhat