Apache James Vulnerable to SMTP Smuggling
CVE-2023-51747

Currently unrated

Key Information:

Vendor: Apache
Status: Apache James Server
Vendor: CVE Published:; 27 February 2024

Summary

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.

A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.

The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.

We recommend James users to upgrade to non vulnerable versions.

Affected Version(s)

Apache James server 0 <= 3.7.4

Apache James server 3.8 <= 3.8.0

References

https://sec-consult.com/blog/detail/smtp-smuggling-spoofi...

https://postfix.org/smtp-smuggling.html

https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3k...

vendor-advisory

Timeline

Vulnerability published
Feb 27, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

Benoit TELLIER