Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-51764

Опубликовано: 24 дек. 2023
Источник: nvd
CVSS3: 5.3
EPSS Средний

Описание

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports . but some other popular e-mail servers do not. To prevent attack variants (by always disallowing without ), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*
Версия до 3.5.23 (исключая)
cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*
Версия от 3.6.0 (включая) до 3.6.13 (исключая)
cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*
Версия от 3.7.0 (включая) до 3.7.9 (исключая)
cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*
Версия от 3.8.0 (включая) до 3.8.4 (исключая)
Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
Конфигурация 3

Одно из

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

EPSS

Процентиль: 95%
0.21846
Средний

5.3 Medium

CVSS3

Дефекты

CWE-345

Связанные уязвимости

ubuntu логотип

CVE-2023-51764

CVSS3: 5.3
ubuntu
больше 1 года назад

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

redhat логотип

CVE-2023-51764

CVSS3: 5.3
redhat
больше 1 года назад

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

msrc логотип

CVE-2023-51764

CVSS3: 5.3
msrc
больше 1 года назад

Описание отсутствует

debian логотип

CVE-2023-51764

CVSS3: 5.3
debian
больше 1 года назад

Postfix through 3.8.5 allows SMTP smuggling unless configured with smt ...

suse-cvrf логотип

SUSE-SU-2024:1149-1

suse-cvrf
около 1 года назад

Security update for postfix

EPSS

Процентиль: 95%
0.21846
Средний

5.3 Medium

CVSS3

Дефекты

CWE-345