SMTP Smuggling Vulnerability in Exim Email Server Software
CVE-2023-51766

5.3MEDIUM

Key Information:

Vendor: Exim
Status: Exim
Vendor: CVE Published:; 24 December 2023

What is CVE-2023-51766?

A vulnerability within the Exim mail transfer agent allows remote attackers to exploit insecure configurations involving PIPELINING and CHUNKING techniques. This can enable the injection of email messages with spoofed 'MAIL FROM' addresses, effectively bypassing SPF protection mechanisms. The root cause of this issue lies in Exim's support for specific line termination sequences, which some other email servers do not handle in the same way, presenting a risk for email integrity and authentication.

References

https://sec-consult.com/blog/detail/smtp-smuggling-spoofi...

https://exim.org/static/doc/security/CVE-2023-51766.txt

https://bugs.exim.org/show_bug.cgi?id=3063

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 24, 2023
Vulnerability Reserved
Dec 24, 2023