SMTP smuggling in Apache James

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions.

N/A

输入验证不恰当

Apache James 输入验证错误漏洞

Apache James是美国阿帕奇（Apache）基金会的一个完全用 Java 编写的开源 Smtp 和 Pop3 邮件传输代理和 Nntp 新闻服务器。 Apache James 3.8.1之前版本和3.7.5之前版本存在输入验证错误漏洞，该漏洞源于发送方和接收方之间存在行分隔符处理差异，攻击者可利用这种差异进行SMTP走私攻击。

N/A

N/A