5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.2 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
65.3%
A flaw was found in some SMTP server configurations in Postfix. This flaw allows a remote attacker to break out email message data to “smuggle” SMTP commands and send spoofed emails that pass SPF checks. Out of the box, Postfix targets to accommodate older clients with faulty SMTP implementations due to which restrictions are not enforced in the default configuration. Appropriate mitigation strategies are mentioned in the appropriate section below.
This flaw can be PARTIALLY mitigated via the following options in the main.cf:
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking, silent-discard
Please note this only blocks the misuse of SMTP command pipelining, but does not address message pipelining nor malformed line endings. The only fix for these issues are via package updates.
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.2 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
65.3%