Vulnerability Description
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | James | 3.7.5 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2024/02/27/4Mailing ListThird Party Advisory
- https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydkoMailing ListVendor Advisory
- https://postfix.org/smtp-smuggling.htmlProduct
- https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/Product
- http://www.openwall.com/lists/oss-security/2024/02/27/4Mailing ListThird Party Advisory
- https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydkoMailing ListVendor Advisory
- https://postfix.org/smtp-smuggling.htmlProduct
- https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/Product
FAQ
What is CVE-2023-51747?
CVE-2023-51747 is a vulnerability with a CVSS score of 7.1 (HIGH). Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the r...
How severe is CVE-2023-51747?
CVE-2023-51747 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-51747?
Check the references section above for vendor advisories and patch information. Affected products include: Apache James.