Details of VAR-202402-2654

ID

VAR-202402-2654

CVE

CVE-2023-51747

TITLE

Apache Software Foundation of Apache James Input verification vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-028839

DESCRIPTION

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions. Apache Software Foundation of Apache James These include vulnerabilities related to input validation, vulnerabilities related to authentication evasion through spoofing, HTTP There is a vulnerability related to request smuggling.Information may be obtained and information may be tampered with

Trust: 1.62

sources: NVD: CVE-2023-51747 // JVNDB: JVNDB-2023-028839

AFFECTED PRODUCTS

vendor:	apache	model:	james	scope:	eq	version:	3.8.1	Trust: 1.8
vendor:	apache	model:	james	scope:	eq	version:	3.7.5	Trust: 1.8
vendor:	apache	model:	james	scope:	eq	version:	-	Trust: 0.8
vendor:	apache	model:	james	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-028839 // NVD: CVE-2023-51747

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2023-51747
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2023-028839
value:	HIGH
Trust: 0.8

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2023-51747
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	4.2
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2023-028839
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-028839 // NVD: CVE-2023-51747

PROBLEMTYPE DATA

problemtype:	CWE-290	Trust: 1.0
problemtype:	CWE-20	Trust: 1.0
problemtype:	CWE-444	Trust: 1.0
problemtype:	Inappropriate input confirmation (CWE-20) [ others ]	Trust: 0.8
problemtype:	Avoid authentication by spoofing (CWE-290) [ others ]	Trust: 0.8
problemtype:	HTTP Request Smuggling (CWE-444) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-028839 // NVD: CVE-2023-51747

EXTERNAL IDS

db:	NVD	id:	CVE-2023-51747	Trust: 2.6
db:	OPENWALL	id:	OSS-SECURITY/2024/02/27/4	Trust: 1.8
db:	JVNDB	id:	JVNDB-2023-028839	Trust: 0.8

sources: JVNDB: JVNDB-2023-028839 // NVD: CVE-2023-51747

REFERENCES

url:	http://www.openwall.com/lists/oss-security/2024/02/27/4	Trust: 1.8
url:	https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko	Trust: 1.8
url:	https://postfix.org/smtp-smuggling.html	Trust: 1.8
url:	https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-51747	Trust: 0.8

sources: JVNDB: JVNDB-2023-028839 // NVD: CVE-2023-51747

SOURCES

db:	JVNDB	id:	JVNDB-2023-028839
db:	NVD	id:	CVE-2023-51747

LAST UPDATE DATE

2025-05-09T03:05:10.333000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2023-028839	date:	2025-05-07T02:36:00
db:	NVD	id:	CVE-2023-51747	date:	2025-05-05T21:02:14.223

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2023-028839	date:	2025-05-07T00:00:00
db:	NVD	id:	CVE-2023-51747	date:	2024-02-27T14:15:27.030