High severityNVD Advisory· Published Feb 27, 2024· Updated Feb 13, 2025
SMTP smuggling in Apache James
CVE-2023-51747
Description
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.
A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.
The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.
We recommend James users to upgrade to non vulnerable versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.james:james-serverMaven | < 3.7.5 | 3.7.5 |
org.apache.james:james-serverMaven | >= 3.8.0, < 3.8.1 | 3.8.1 |
Affected products
2- Range: 0
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-p5q9-86w4-2xr5ghsaADVISORY
- lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydkoghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-51747ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/02/27/4ghsaWEB
- github.com/apache/james-project/commit/d1ef102540e504c067b6c1721a6f1e7eee9c6fc6ghsaWEB
- github.com/apache/james-project/commit/d5cd8bb098aa78d8d62c9645f3c532689ef1cb03ghsaWEB
- postfix.org/smtp-smuggling.htmlghsarelatedWEB
- sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwideghsaWEB
- sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/mitrerelated
News mentions
0No linked articles in our index yet.