Postal is an open source SMTP server. Postal versions less than 3.0.0 are vulnerable to SMTP Smuggling attacks which may allow incoming e-mails to be spoofed. This, in conjunction with a cooperative outgoing SMTP service, would allow for an incoming e-mail to be received by Postal addressed from a server that a user has 'authorised' to send mail on their behalf but were not the genuine author of the e-mail. Postal is not affected for sending outgoing e-mails as email is re-encoded with `<CR><LF>` line endings when transmitted over SMTP. This issue has been addressed and users should upgrade to Postal v3.0.0 or higher. Once upgraded, Postal will only accept End of DATA sequences which are explicitly `<CR><LF>.<CR><LF>`. If a non-compliant sequence is detected it will be logged to the SMTP server log. There are no workarounds for this issue.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-03-11T21:18:14.988Z
Updated: 2024-08-27T19:48:22.783Z
Reserved: 2024-02-28T15:14:14.217Z
Link: CVE-2024-27938
Vulnrichment
Updated: 2024-08-02T00:41:55.742Z
NVD
Status : Awaiting Analysis
Published: 2024-03-11T22:15:55.490
Modified: 2024-11-21T09:05:27.543
Link: CVE-2024-27938
Redhat
No data.