QwikSec

Security Database

CVE

CWE

Training

CVE-2023-51747

Published: Feb 27, 2024

Modified: Feb 13, 2025

PUBLISHED

Description

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions.

Vendor	Product	Versions
Apache Software Foundation	Apache James server	affected `0 - <= 3.7.4` affected `3.8 - <= 3.8.0`

Weaknesses (CWE)

References

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

related

https://postfix.org/smtp-smuggling.html

related

https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/02/27/4

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.