FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-27938

Improper Encoding or Escaping of Output (CWE-116)

Published: Mar 11, 2024 / Updated: 8mo ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Postal is an open source SMTP server. Postal versions less than 3.0.0 are vulnerable to SMTP Smuggling attacks which may allow incoming e-mails to be spoofed. This, in conjunction with a cooperative outgoing SMTP service, would allow for an incoming e-mail to be received by Postal addressed from a server that a user has 'authorised' to send mail on their behalf but were not the genuine author of the e-mail. Postal is not affected for sending outgoing e-mails as email is re-encoded with ` ` line endings when transmitted over SMTP. This issue has been addressed and users should upgrade to Postal v3.0.0 or higher. Once upgraded, Postal will only accept End of DATA sequences which are explicitly ` . `. If a non-compliant sequence is detected it will be logged to the SMTP server log. There are no workarounds for this issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-27938

Mar 11, 2024 at 3:15 PM
CVSS

A CVSS base score of 5.3 has been assigned.

Mar 11, 2024 at 10:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-27938. See article

Mar 11, 2024 at 10:24 PM / National Vulnerability Database
EPSS

EPSS Score was set to: 0.05% (Percentile: 12.6%)

Mar 12, 2024 at 2:31 PM
Static CVE Timeline Graph

Attack Patterns

CAPEC-104: Cross Zone Scripting
+null more

News

Update Thu Aug 22 06:30:49 UTC 2024
Recent Commits to cve:main / 2mo
Update Thu Aug 22 06:30:49 UTC 2024
Update Tue Apr 16 02:04:36 UTC 2024
Recent Commits to cve:main / 7mo
Update Tue Apr 16 02:04:36 UTC 2024
Update Fri Mar 22 02:01:44 UTC 2024
Recent Commits to cve:main / 8mo
Update Fri Mar 22 02:01:44 UTC 2024
CVE-2024-27938
Newest CVEs from Tenable / 8mo
This, in conjunction with a cooperative outgoing SMTP service, would allow for an incoming e-mail to be received by Postal addressed from a server that a user has 'authorised' to send mail on their behalf but were not the genuine author of the e-mail. This issue has been addressed and users should upgrade to Postal v3.0.0 or higher.
CVE-2024-27938
Vulners.com RSS Feed / 8mo
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

CVSS 5.3(34617)CWE-116(280)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial