Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-51747

Good to know:

icon
icon

Date: February 27, 2024

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions.

Language: Java

Severity Score

Related Resources (10)

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://nvd.nist.gov/vuln/detail/CVE-2023-51747
https://postfix.org/smtp-smuggling.html
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide
https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko
https://github.com/apache/james-project/commit/d1ef102540e504c067b6c1721a6f1e7eee9c6fc6
https://github.com/apache/james-project/commit/d5cd8bb098aa78d8d62c9645f3c532689ef1cb03
https://github.com/apache/james-project
http://www.openwall.com/lists/oss-security/2024/02/27/4
https://www.mend.io/vulnerability-database/CVE-2023-51747

Severity Score

Weakness Type (CWE)

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CWE-444

Input Validation

CWE-20

Authentication Bypass by Spoofing

CWE-290

Top Fix

icon

Upgrade Version

Upgrade to version org.apache.james:james-server-protocols-smtp:3.7.5,3.8.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us