Date: Fri, 26 Jan 2018 20:05:03 +0100 From: Jochen Wiedmann <jochen.wiedmann@...il.com> To: security@...mons.apache.org, security <security@...che.org>, private@...mons.apache.org, Alexander Lehmann <alexlehm@...il.com>, oss-security@...ts.openwall.com Subject: CVE-2018-1294: Apache Commons Email vulnerability information disclosure CVE-2018-1294: Apache Commons Email vulnerability information disclosure Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: All Versions of Commons-Email, from 1.0, to 1.4, inclusive. The current version 1.5 is not affected. Description: If a user of Commons-Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String). Credit: Alexander Lehmann References: http://commons.apache.org/proper/commons-email/security-reports.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.