CVE Vulnerabilities

CVE-2023-51766

Insufficient Verification of Data Authenticity

Published: Dec 24, 2023 | Modified: Feb 02, 2024
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports . but some other popular e-mail servers do not.

Weakness

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Affected Software

Name Vendor Start Version End Version
Exim Exim * 4.97.1 (excluding)
Exim4 Ubuntu bionic *
Exim4 Ubuntu devel *
Exim4 Ubuntu esm-infra/bionic *
Exim4 Ubuntu esm-infra/xenial *
Exim4 Ubuntu focal *
Exim4 Ubuntu jammy *
Exim4 Ubuntu lunar *
Exim4 Ubuntu mantic *
Exim4 Ubuntu noble *
Exim4 Ubuntu oracular *
Exim4 Ubuntu trusty *
Exim4 Ubuntu trusty/esm *
Exim4 Ubuntu upstream *
Exim4 Ubuntu xenial *

References