SMTP smuggling in Apache James
High severity
GitHub Reviewed
Published
Feb 27, 2024
to the GitHub Advisory Database
•
Updated Nov 13, 2024
Package
Affected versions
< 3.7.5
= 3.8.0
Patched versions
3.7.5
3.8.1
Description
Published by the National Vulnerability Database
Feb 27, 2024
Published to the GitHub Advisory Database
Feb 27, 2024
Reviewed
Feb 27, 2024
Last updated
Nov 13, 2024
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.
A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.
The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.
We recommend James users to upgrade to non vulnerable versions.
References