CVE-2023-51747

HIGH

Apache James <3.8.1-3.7.5 - SMTP Smuggling

Title source: llm

Description

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions.

References (4)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/02/27/4

[Product] https://postfix.org/smtp-smuggling.html

[Product] https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko

Scores

CVSS v3 7.1

EPSS 0.0024

EPSS Percentile 47.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-290 CWE-444 CWE-20

Status published

Products (3)

apache/james 3.7.5

apache/james 3.8.1

org.apache.james/james-server 0 - 3.7.5Maven

Published Feb 27, 2024

Tracked Since Feb 18, 2026