Lucene search

GitHub Advisory DatabaseGHSA-P5Q9-86W4-2XR5

HistoryFeb 27, 2024 - 3:30 p.m.

SMTP smuggling in Apache James

2024-02-2715:30:31

CWE-20

GitHub Advisory Database

github.com

apache james

smtp smuggling

vulnerability

line delimiter

spf checks

crlf

upgrade

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.

A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.

The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.

We recommend James users to upgrade to non vulnerable versions.

Affected configurations

Vulners

Node

org.apache.james\jamesMatchserver3.8.0

org.apache.james\jamesMatchserver

CPENameOperatorVersion
org.apache.james:james-servereq3.8.0
org.apache.james:james-serverlt3.7.5

CPE	Name	Operator	Version
	org.apache.james:james-server	eq	3.8.0
	org.apache.james:james-server	lt	3.7.5

References

www.openwall.com/lists/oss-security/2024/02/27/4

github.com/advisories/GHSA-p5q9-86w4-2xr5

github.com/apache/james-project/commit/d1ef102540e504c067b6c1721a6f1e7eee9c6fc6

github.com/apache/james-project/commit/d5cd8bb098aa78d8d62c9645f3c532689ef1cb03

lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko

nvd.nist.gov/vuln/detail/CVE-2023-51747

postfix.org/smtp-smuggling.html

sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide