Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAF8HOZ+J3NkaywfbHuQpHxK9ZXeT4=4Vs9rOwCDiUdnt1QA1Yw@mail.gmail.com>
Date: Fri, 26 Jan 2018 20:05:03 +0100
From: Jochen Wiedmann <jochen.wiedmann@...il.com>
To: security@...mons.apache.org, security <security@...che.org>, 
	private@...mons.apache.org, Alexander Lehmann <alexlehm@...il.com>, 
	oss-security@...ts.openwall.com
Subject: CVE-2018-1294: Apache Commons Email vulnerability information disclosure

CVE-2018-1294: Apache Commons Email vulnerability information
disclosure

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
All Versions of Commons-Email, from 1.0, to 1.4, inclusive. The
current version 1.5 is not affected.

Description: If a user of Commons-Email (typically an application
programmer) passes unvalidated input as the so-called "Bounce
Address", and that input contains line-breaks, then the email details
(recipients, contents, etc.) might be manipulated.

Mitigation: Users should upgrade to Commons-Email 1.5.
You can mitigate this vulnerability for older versions of Commons
Email by stripping line-breaks from data, that will be passed to
Email.setBounceAddress(String).

Credit: Alexander Lehmann

References:
http://commons.apache.org/proper/commons-email/security-reports.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.