CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
68.3%
exim4 library is vulnerable to Insufficient Verification of Data Authenticity. The vulnerability is due to insufficient verification Exim’s SMTP server configurations as it support a character sequence (.) in SMTP transactions, which is not universally supported by other popular email servers. This allows an attackers to exploit the vulnerability by “smuggling” SMTP commands within email messages.
www.openwall.com/lists/oss-security/2023/12/24/1
www.openwall.com/lists/oss-security/2023/12/25/1
www.openwall.com/lists/oss-security/2023/12/29/2
www.openwall.com/lists/oss-security/2024/01/01/1
www.openwall.com/lists/oss-security/2024/01/01/2
www.openwall.com/lists/oss-security/2024/01/01/3
bugs.exim.org/show_bug.cgi?id=3063
bugzilla.redhat.com/show_bug.cgi?id=2255852
exim.org/static/doc/security/CVE-2023-51766.txt
fahrplan.events.ccc.de/congress/2023/fahrplan/events/11782.html
git.exim.org/exim.git/commit/5bb786d5ad568a88d50d15452aacc8404047e5ca
git.exim.org/exim.git/commit/cf1376206284f2a4f11e32d931d4aade34c206c5
github.com/Exim/exim/blob/master/doc/doc-txt/cve-2023-51766
lists.debian.org/debian-lts-announce/2024/01/msg00002.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORN7OKEQPPBKUHYRQ6LR5PSNBQVDHAWB/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPDWHJPABVJCXDSNELSSVTIVAJU2MDUQ/
lwn.net/Articles/956533/
sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
security-tracker.debian.org/tracker/CVE-2023-51766
www.openwall.com/lists/oss-security/2023/12/23/2
www.youtube.com/watch?v=V8KPV96g1To