CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty

Stefan Bodewig
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Email 1.0 to 1.4.

Description:
When a call-site passes a subject for an email that contains
line-breaks, the caller can add arbitrary SMTP headers.

Mitigation:
Users should upgrade to Commons Email 1.5.
You can mitigate this vulnerability for older versions of Commons
Email by stripping line-breaks from the subject before passing it to
the setSubject(String) method.

Credit:
This issue was discovered by ´╗┐Adam Williams.

References:
http://commons.apache.org/proper/commons-email/security-reports.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlmAyP8ACgkQohFa4V9ri3K7XQCgj69yH9nkBGRVJBG9+0DS1jc8
GJUAnRZrLznaNRzokj08JGBMy5wwHNTt
=oSDx
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...