CVE-2023-51747

2024-02-2714:15:27

CWE-20

[email protected]

web.nvd.nist.gov

2620

cve

apache

james

smtp

vulnerability

security

upgrade

nvd

6.5 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.8%

JSON

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.

A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.

The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.

We recommend James users to upgrade to non vulnerable versions.

Affected configurations

Vulners

Node

apachejames_serverRange≤3.7.4

apachejames_serverRange≤3.8.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache James server",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "3.7.4",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "3.8.0",
        "status": "affected",
        "version": "3.8",
        "versionType": "semver"
      }
    ]
  }
]