Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions.
History

Wed, 13 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
CWE-444
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-02-27T13:08:01.807Z

Updated: 2024-11-13T19:08:00.859Z

Reserved: 2023-12-22T16:12:33.074Z

Link: CVE-2023-51747

cve-icon Vulnrichment

Updated: 2024-08-02T22:48:11.163Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-02-27T14:15:27.030

Modified: 2024-11-21T08:38:43.590

Link: CVE-2023-51747

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-02-27T00:00:00Z

Links: CVE-2023-51747 - Bugzilla