GHSA-p5q9-86w4-2xr5

Suggest an improvement
Source
https://github.com/advisories/GHSA-p5q9-86w4-2xr5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-p5q9-86w4-2xr5/GHSA-p5q9-86w4-2xr5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-p5q9-86w4-2xr5
Aliases
  • CVE-2023-51747
Published
2024-02-27T15:30:31Z
Modified
2024-11-13T23:32:43.264836Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
SMTP smuggling in Apache James
Details

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.

A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.

The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.

We recommend James users to upgrade to non vulnerable versions.

Database specific 
{
    "nvd_published_at": "2024-02-27T14:15:27Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-290"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-27T18:58:24Z"
}
References

Affected packages

Maven / org.apache.james:james-server

Package

Name
org.apache.james:james-server
View open source insights on deps.dev
Purl
pkg:maven/org.apache.james/james-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.7.5

Affected versions

3.*

3.0-beta2
3.0-beta3
3.0-beta4
3.0.0-beta5
3.0-M1
3.0-M2
3.0.0-RC1
3.0.0
3.0.1
3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.6.0
3.6.2
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4

Maven / org.apache.james:james-server

Package

Name
org.apache.james:james-server
View open source insights on deps.dev
Purl
pkg:maven/org.apache.james/james-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.8.0
Fixed
3.8.1

Affected versions

3.*

3.8.0