CVE-2024-27938 – SMTP Smuggling in Postal

https://notcve.org/view.php?id=CVE-2024-27938

Postal is an open source SMTP server. Postal versions less than 3.0.0 are vulnerable to SMTP Smuggling attacks which may allow incoming e-mails to be spoofed. This, in conjunction with a cooperative outgoing SMTP service, would allow for an incoming e-mail to be received by Postal addressed from a server that a user has 'authorised' to send mail on their behalf but were not the genuine author of the e-mail. Postal is not affected for sending outgoing e-mails as email is re-encoded with `<CR><LF>` line endings when transmitted over SMTP. This issue has been addressed and users should upgrade to Postal v3.0.0 or higher. • https://github.com/postalserver/postal/commit/0140dc4 https://github.com/postalserver/postal/security/advisories/GHSA-j42r-6c99-hqf2 https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide https://www.postfix.org/smtp-smuggling.html • CWE-116: Improper Encoding or Escaping of Output •