Bug 2267363 (CVE-2023-51747)

Summary: CVE-2023-51747 apache-james: SMTP smuggling
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2267364    
Bug Blocks:    

Description Marco Benatto 2024-03-01 21:10:18 UTC 
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.

A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.

The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.

We recommend James users to upgrade to non vulnerable versions.

http://www.openwall.com/lists/oss-security/2024/02/27/4
https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko
https://postfix.org/smtp-smuggling.html
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Comment 1 Marco Benatto 2024-03-01 21:10:29 UTC 
Created apache-james-project tracking bugs for this issue:

Affects: epel-all [bug 2267364]