oss-security - CVE-2023-51747: SMTP smuggling in Apache James

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <caae87f6-2f72-9701-fc2a-97e716c5edbd@apache.org>
Date: Tue, 27 Feb 2024 12:28:33 +0000
From: Benoit Tellier <btellier@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-51747: SMTP smuggling in Apache James 

Severity: important

Affected versions:

- Apache James server through 3.7.4
- Apache James server 3.8 through 3.8.0

Description:

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.

A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.

The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.

We recommend James users to upgrade to non vulnerable versions.

Credit:

Benoit TELLIER (coordinator)

References:

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://postfix.org/smtp-smuggling.html
https://james.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-51747

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.