Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 26 Jan 2018 20:05:03 +0100
From: Jochen Wiedmann <jochen.wiedmann@...il.com>
To: security@...mons.apache.org, security <security@...che.org>, 
	private@...mons.apache.org, Alexander Lehmann <alexlehm@...il.com>, 
	oss-security@...ts.openwall.com
Subject: CVE-2018-1294: Apache Commons Email vulnerability information disclosure

CVE-2018-1294: Apache Commons Email vulnerability information
disclosure

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
All Versions of Commons-Email, from 1.0, to 1.4, inclusive. The
current version 1.5 is not affected.

Description: If a user of Commons-Email (typically an application
programmer) passes unvalidated input as the so-called "Bounce
Address", and that input contains line-breaks, then the email details
(recipients, contents, etc.) might be manipulated.

Mitigation: Users should upgrade to Commons-Email 1.5.
You can mitigate this vulnerability for older versions of Commons
Email by stripping line-breaks from data, that will be passed to
Email.setBounceAddress(String).

Credit: Alexander Lehmann

References:
http://commons.apache.org/proper/commons-email/security-reports.html

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ