You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@ponymail.apache.org by Daniel Gruno <hu...@apache.org> on 2016/08/02 08:36:49 UTC

CVE-2016-4460: Apache Pony Mail (Incubating) disclosure vulnerability

######################################################################
CVE-2016-4460: Apache Pony Mail (Incubating) disclosure vulnerability

Severity: Moderate
Vendor: The Apache Software Foundation
Versions affected: 0.6c through 0.8b

Description:
  A flaw was discovered in the access, authentication & authorization
  mechanism whereby a user with sufficient knowledge of a private email
  could access it without first needing to authenticate.

Mitigation:
  There are three ways to mitigate the vulnerability:
    - Users may upgrade to 0.9 OR
    - Users may check out the latest source from git OR
    - Users may apply the following patch: https://s.apache.org/PlE5

Credit:
  The vulnerability was discovered by a member of the Apache Software
  Foundation.
######################################################################