You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Stefan Bodewig <bo...@apache.org> on 2017/08/01 18:31:29 UTC
CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty
Severity: low
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Commons Email 1.0 to 1.4.
Description:
When a call-site passes a subject for an email that contains
line-breaks, the caller can add arbitrary SMTP headers.
Mitigation:
Users should upgrade to Commons Email 1.5.
You can mitigate this vulnerability for older versions of Commons
Email by stripping line-breaks from the subject before passing it to
the setSubject(String) method.
Credit:
This issue was discovered by Adam Williams.
References:
http://commons.apache.org/proper/commons-email/security-reports.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlmAyP8ACgkQohFa4V9ri3K7XQCgj69yH9nkBGRVJBG9+0DS1jc8
GJUAnRZrLznaNRzokj08JGBMy5wwHNTt
=oSDx
-----END PGP SIGNATURE-----