Search criteria
6 vulnerabilities found for commons_email by apache
FKIE_CVE-2018-1294
Vulnerability from fkie_nvd - Published: 2018-03-20 17:29 - Updated: 2024-11-21 03:59
Severity ?
Summary
If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String).
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://seclists.org/oss-sec/2018/q1/107 | Mailing List, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/oss-sec/2018/q1/107 | Mailing List, Mitigation, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | commons_email | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:commons_email:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D40F5E36-3CFC-4DD5-8260-05923D072A0D",
"versionEndIncluding": "1.4",
"versionStartIncluding": "1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called \"Bounce Address\", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String)."
},
{
"lang": "es",
"value": "Si un usuario de Apache Commons Email (normalmente un programador de aplicaciones) pasa entradas no validadas como \"Bounce Address\" que contienen saltos de l\u00ednea, los detalles de email (destinatarios, contenido, etc.) podr\u00edan ser manipulados. Mitigaci\u00f3n: Los usuarios deber\u00edan actualizar a Commons-Email 1.5. Se puede mitigar esta vulnerabilidad en versiones antiguas de Commons Email eliminando los saltos de l\u00ednea de los datos que ser\u00e1n pasados a Email.setBounceAddress(String)."
}
],
"id": "CVE-2018-1294",
"lastModified": "2024-11-21T03:59:33.803",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-20T17:29:00.207",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2018/q1/107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2018/q1/107"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-9801
Vulnerability from fkie_nvd - Published: 2017-08-07 15:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | commons_email | 1.0 | |
| apache | commons_email | 1.1 | |
| apache | commons_email | 1.2 | |
| apache | commons_email | 1.3 | |
| apache | commons_email | 1.3.1 | |
| apache | commons_email | 1.3.2 | |
| apache | commons_email | 1.3.3 | |
| apache | commons_email | 1.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:commons_email:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "30F19A6E-9804-46E5-BB19-D68FD7151A08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_email:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A4F3451B-7369-45FA-AAA7-BD5DFF71595B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_email:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "46162757-2BEB-4AE3-8C87-72605B9EF048",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_email:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7771B984-C576-4E86-8A33-A6C0D87ABE42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_email:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "58C4BCC5-676C-4CEC-9917-16ACF9E4CB0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_email:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "ECF0651E-705F-4E15-A4C2-FA074002858C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_email:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6C31A98B-BBC5-4F26-B60F-399AFFA58C1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_email:1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D8D2181B-15C0-4FDD-A881-AE400841B20A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers."
},
{
"lang": "es",
"value": "Cuando un sitio de llamada pasa un asunto para un email que contiene saltos de l\u00ednea en Apache Commons Email 1.0 en su versi\u00f3n 1.4, el autor de la llamada puede a\u00f1adir encabezados SMTP arbitrarios."
}
],
"id": "CVE-2017-9801",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-07T15:29:00.517",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100082"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1039043"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/7ef903a772a2ff08605df1be819044fb15df2815eb3d63878b3fbbb5%40%3Cannounce.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100082"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1039043"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/7ef903a772a2ff08605df1be819044fb15df2815eb3d63878b3fbbb5%40%3Cannounce.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2018-1294 (GCVE-0-2018-1294)
Vulnerability from cvelistv5 – Published: 2018-03-20 17:00 – Updated: 2024-09-16 22:31
VLAI?
Summary
If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String).
Severity ?
No CVSS data available.
CWE
- Insufficient Data Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Commons Email |
Affected:
versions prior to 1.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20180126 CVE-2018-1294: Apache Commons Email vulnerability information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2018/q1/107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Commons Email",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.5"
}
]
}
],
"datePublic": "2018-03-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called \"Bounce Address\", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Data Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-20T19:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[oss-security] 20180126 CVE-2018-1294: Apache Commons Email vulnerability information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2018/q1/107"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-03-19T00:00:00",
"ID": "CVE-2018-1294",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Commons Email",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called \"Bounce Address\", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient Data Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20180126 CVE-2018-1294: Apache Commons Email vulnerability information disclosure",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2018/q1/107"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1294",
"datePublished": "2018-03-20T17:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T22:31:23.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9801 (GCVE-0-2017-9801)
Vulnerability from cvelistv5 – Published: 2017-08-07 15:00 – Updated: 2024-09-16 19:05
VLAI?
Summary
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.
Severity ?
No CVSS data available.
CWE
- SMTP header injection
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Commons Email |
Affected:
1.0 to 1.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:18:02.211Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[announce@apache.org] 20170801 CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/7ef903a772a2ff08605df1be819044fb15df2815eb3d63878b3fbbb5%40%3Cannounce.apache.org%3E"
},
{
"name": "1039043",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1039043"
},
{
"name": "100082",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100082"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Commons Email",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0 to 1.4"
}
]
}
],
"datePublic": "2017-08-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SMTP header injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-08T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[announce@apache.org] 20170801 CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/7ef903a772a2ff08605df1be819044fb15df2815eb3d63878b3fbbb5%40%3Cannounce.apache.org%3E"
},
{
"name": "1039043",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1039043"
},
{
"name": "100082",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100082"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-08-01T00:00:00",
"ID": "CVE-2017-9801",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Commons Email",
"version": {
"version_data": [
{
"version_value": "1.0 to 1.4"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SMTP header injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[announce@apache.org] 20170801 CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/7ef903a772a2ff08605df1be819044fb15df2815eb3d63878b3fbbb5@%3Cannounce.apache.org%3E"
},
{
"name": "1039043",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1039043"
},
{
"name": "100082",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100082"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-9801",
"datePublished": "2017-08-07T15:00:00Z",
"dateReserved": "2017-06-21T00:00:00",
"dateUpdated": "2024-09-16T19:05:37.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1294 (GCVE-0-2018-1294)
Vulnerability from nvd – Published: 2018-03-20 17:00 – Updated: 2024-09-16 22:31
VLAI?
Summary
If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String).
Severity ?
No CVSS data available.
CWE
- Insufficient Data Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Commons Email |
Affected:
versions prior to 1.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20180126 CVE-2018-1294: Apache Commons Email vulnerability information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2018/q1/107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Commons Email",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.5"
}
]
}
],
"datePublic": "2018-03-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called \"Bounce Address\", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Data Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-20T19:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[oss-security] 20180126 CVE-2018-1294: Apache Commons Email vulnerability information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2018/q1/107"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-03-19T00:00:00",
"ID": "CVE-2018-1294",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Commons Email",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called \"Bounce Address\", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient Data Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20180126 CVE-2018-1294: Apache Commons Email vulnerability information disclosure",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2018/q1/107"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1294",
"datePublished": "2018-03-20T17:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T22:31:23.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9801 (GCVE-0-2017-9801)
Vulnerability from nvd – Published: 2017-08-07 15:00 – Updated: 2024-09-16 19:05
VLAI?
Summary
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.
Severity ?
No CVSS data available.
CWE
- SMTP header injection
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Commons Email |
Affected:
1.0 to 1.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:18:02.211Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[announce@apache.org] 20170801 CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/7ef903a772a2ff08605df1be819044fb15df2815eb3d63878b3fbbb5%40%3Cannounce.apache.org%3E"
},
{
"name": "1039043",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1039043"
},
{
"name": "100082",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100082"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Commons Email",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0 to 1.4"
}
]
}
],
"datePublic": "2017-08-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SMTP header injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-08T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[announce@apache.org] 20170801 CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/7ef903a772a2ff08605df1be819044fb15df2815eb3d63878b3fbbb5%40%3Cannounce.apache.org%3E"
},
{
"name": "1039043",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1039043"
},
{
"name": "100082",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100082"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-08-01T00:00:00",
"ID": "CVE-2017-9801",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Commons Email",
"version": {
"version_data": [
{
"version_value": "1.0 to 1.4"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SMTP header injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[announce@apache.org] 20170801 CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/7ef903a772a2ff08605df1be819044fb15df2815eb3d63878b3fbbb5@%3Cannounce.apache.org%3E"
},
{
"name": "1039043",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1039043"
},
{
"name": "100082",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100082"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-9801",
"datePublished": "2017-08-07T15:00:00Z",
"dateReserved": "2017-06-21T00:00:00",
"dateUpdated": "2024-09-16T19:05:37.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}