Search for vulnerabilities
Vulnerability details: VCID-2rnj-c4yh-aaae
Vulnerability ID VCID-2rnj-c4yh-aaae
Aliases CVE-2023-51766
Summary Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.
Status Published
Exploitability 0.5
Weighted Severity 4.8
Risk 2.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-345 Insufficient Verification of Data Authenticity
System Score Found at
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00334 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00334 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00334 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00334 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00334 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00334 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00334 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00334 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00707 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00707 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00707 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.00801 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.03209 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.08754 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
epss 0.34093 https://api.first.org/data/v1/epss?cve=CVE-2023-51766
cvssv3 5.3 https://nvd.nist.gov/vuln/detail/CVE-2023-51766
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2023-51766
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-51766
https://bugs.exim.org/show_bug.cgi?id=3063
https://bugzilla.redhat.com/show_bug.cgi?id=2255852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51766
https://exim.org/static/doc/security/CVE-2023-51766.txt
https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11782.html
https://git.exim.org/exim.git/commit/5bb786d5ad568a88d50d15452aacc8404047e5ca
https://git.exim.org/exim.git/commit/cf1376206284f2a4f11e32d931d4aade34c206c5
https://github.com/Exim/exim/blob/master/doc/doc-txt/cve-2023-51766
https://lists.debian.org/debian-lts-announce/2024/01/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORN7OKEQPPBKUHYRQ6LR5PSNBQVDHAWB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPDWHJPABVJCXDSNELSSVTIVAJU2MDUQ/
https://lwn.net/Articles/956533/
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://www.openwall.com/lists/oss-security/2023/12/23/2
https://www.youtube.com/watch?v=V8KPV96g1To
http://www.openwall.com/lists/oss-security/2023/12/24/1
http://www.openwall.com/lists/oss-security/2023/12/25/1
http://www.openwall.com/lists/oss-security/2023/12/29/2
http://www.openwall.com/lists/oss-security/2024/01/01/1
http://www.openwall.com/lists/oss-security/2024/01/01/2
http://www.openwall.com/lists/oss-security/2024/01/01/3
1059387 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059387
cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
CVE-2023-51766 https://nvd.nist.gov/vuln/detail/CVE-2023-51766
GLSA-202402-18 https://security.gentoo.org/glsa/202402-18
USN-6611-1 https://usn.ubuntu.com/6611-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-51766
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-51766
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.68668
EPSS Score 0.00276
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-01-03T17:14:28.338738+00:00 NVD Importer Import https://nvd.nist.gov/vuln/detail/CVE-2023-51766 34.0.0rc1