Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 26 Jan 2018 20:05:03 +0100
From: Jochen Wiedmann <>
To:, security <>,, Alexander Lehmann <>,
Subject: CVE-2018-1294: Apache Commons Email vulnerability information disclosure

CVE-2018-1294: Apache Commons Email vulnerability information

Severity: Moderate

The Apache Software Foundation

Versions Affected:
All Versions of Commons-Email, from 1.0, to 1.4, inclusive. The
current version 1.5 is not affected.

Description: If a user of Commons-Email (typically an application
programmer) passes unvalidated input as the so-called "Bounce
Address", and that input contains line-breaks, then the email details
(recipients, contents, etc.) might be manipulated.

Mitigation: Users should upgrade to Commons-Email 1.5.
You can mitigate this vulnerability for older versions of Commons
Email by stripping line-breaks from data, that will be passed to

Credit: Alexander Lehmann


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.