Fluid Attacks Database

Description

sendmail through 8.17.2 allows SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports . but some other popular e-mail servers do not. This is resolved in 8.18 and later versions with 'o' in srv_features.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	sendmail	=8.15.2-22 \|\| >=0 <8.15.2-22+deb11u1	8.15.2-22+deb11u1
debian 12	sendmail	=8.17.1.9-2 \|\| >=0 <8.17.1.9-2+deb12u1	8.17.1.9-2+deb12u1
debian 13	sendmail	>=0 <8.18.1-1	8.18.1-1
debian 14	sendmail	>=0 <8.18.1-1	8.18.1-1
rpm rhel6	sendmail	-	-
rpm rhel7	sendmail	-	-
rpm rhel8	sendmail	-	-
rpm rhel9	sendmail	-	-

Aliases

1. CVE-2023-517652. NVD-2023-517653. OSV-DEBIAN-2023-517654. OSV-2023-517655. SECURITY-TRACKER-CVE-2023-51765

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.