CVE-2023-51765
24.12.2023, 06:15
sendmail through 8.17.2 allows SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports <LF>.<CR><LF> but some other popular e-mail servers do not. This is resolved in 8.18 and later versions with 'o' in srv_features.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| sendmail | sendmail | 𝑥 < 8.18.0.2 |
| freebsd | freebsd | 𝑥 < 11.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| sendmail |
| ||
| sendmail-cf |
| ||
| sendmail-debuginfo |
| ||
| sendmail-debugsource |
| ||
| sendmail-doc |
| ||
| sendmail-milter |
| ||
| sendmail-milter-debuginfo |
| ||
| sendmail-milter-devel |
|
Common Weakness Enumeration
References