CVE-2023-51764
Description
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports . but some other popular e-mail servers do not. To prevent attack variants (by always disallowing without ), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
46- osv-coords44 versionspkg:rpm/almalinux/postfixpkg:rpm/almalinux/postfix-cdbpkg:rpm/almalinux/postfix-ldappkg:rpm/almalinux/postfix-lmdbpkg:rpm/almalinux/postfix-mysqlpkg:rpm/almalinux/postfix-pcrepkg:rpm/almalinux/postfix-perl-scriptspkg:rpm/almalinux/postfix-pgsqlpkg:rpm/almalinux/postfix-sqlitepkg:rpm/opensuse/postfix-bdb&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/postfix-bdb&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/postfix&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/postfix&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/postfix&distro=openSUSE%20Tumbleweedpkg:rpm/suse/postfix-bdb&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/postfix-bdb&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/postfix-bdb&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/postfix-bdb&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/postfix-bdb&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/postfix-bdb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP4pkg:rpm/suse/postfix-bdb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP5pkg:rpm/suse/postfix-bdb&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/postfix-bdb&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/postfix-bdb&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/postfix-bdb&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/postfix&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4pkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5pkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP4pkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/postfix&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/postfix&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/postfix&distro=SUSE%20Manager%20Server%204.3
< 2:3.5.25-1.el9+ 43 more
- (no CPE)range: < 2:3.5.25-1.el9
- (no CPE)range: < 2:3.5.25-1.el9
- (no CPE)range: < 2:3.5.25-1.el9
- (no CPE)range: < 2:3.5.25-1.el9
- (no CPE)range: < 2:3.5.25-1.el9
- (no CPE)range: < 2:3.5.25-1.el9
- (no CPE)range: < 2:3.5.25-1.el9
- (no CPE)range: < 2:3.5.25-1.el9
- (no CPE)range: < 2:3.5.25-1.el9
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.7.3-150500.3.11.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.7.3-150500.3.11.1
- (no CPE)range: < 3.8.4-2.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.7.3-150500.3.11.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.7.3-150500.3.11.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.7.3-150500.3.11.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.2.10-3.30.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.2.10-3.30.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.2.10-3.30.1
- (no CPE)range: < 3.5.9-150300.5.15.1
- (no CPE)range: < 3.5.9-150300.5.15.1
Patches
Vulnerability mechanics
References
15- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JQ5WXFCW2N6G2PH3JXDTYW5PH5EBQEGO/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRLF5SOS7TP5N7FQSEK2NFNB44ISVTZC/mitrevendor-advisory
- www.openwall.com/lists/oss-security/2023/12/24/1mitremailing-list
- www.openwall.com/lists/oss-security/2023/12/25/1mitremailing-list
- www.openwall.com/lists/oss-security/2024/05/09/3mitremailing-list
- lists.debian.org/debian-lts-announce/2024/01/msg00020.htmlmitremailing-list
- access.redhat.com/security/cve/CVE-2023-51764mitre
- bugzilla.redhat.com/show_bug.cgimitre
- fahrplan.events.ccc.de/congress/2023/fahrplan/events/11782.htmlmitre
- lwn.net/Articles/956533/mitre
- sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/mitre
- www.openwall.com/lists/oss-security/2024/01/22/1mitre
- www.postfix.org/announcements/postfix-3.8.5.htmlmitre
- www.postfix.org/smtp-smuggling.htmlmitre
- www.youtube.com/watchmitre
News mentions
0No linked articles in our index yet.