CVE-2022-48521

Name of the Vulnerable Software and Affected Versions OpenDKIM versions 2.10.3 and earlier OpenDKIM versions 2.11.x through 2.11.0-Beta2

Description An issue in OpenDKIM allows a remote attacker to craft an e-mail message with a fake sender address, making programs that rely on Authentication-Results from OpenDKIM treat the message as having a valid DKIM signature when in fact it has none. This is due to OpenDKIM's failure to keep track of ordinal numbers when removing fake Authentication-Results header fields.

Recommendations For OpenDKIM versions 2.10.3 and earlier, update to a version later than 2.10.3. For OpenDKIM versions 2.11.x through 2.11.0-Beta2, update to a version later than 2.11.0-Beta2. As a temporary workaround, consider restricting the use of the Authentication-Results header fields until a patch is available.