Apache · Apache Sling Commons Messaging Mail · CVE-2021-44549
Name of the Vulnerable Software and Affected Versions:
Apache Sling Commons Messaging Mail version 1.0
Description:
The issue concerns the lack of an option to enable server identity checks for the shared mail session in Apache Sling Commons Messaging Mail. This increases the risk of "man in the middle" attacks when accessing mail servers via SMTPS. For compatibility reasons, these checks are disabled by default in JavaMail/Jakarta Mail. However, a user can enable these checks by accessing the session via the message created by SimpleMessageBuilder and setting the property `mail.smtps.ssl.checkserveridentity` to true.
Recommendations:
For Apache Sling Commons Messaging Mail version 1.0, consider upgrading to version 2.0, which adds support for enabling server identity checks by default.
As a temporary workaround for version 1.0, users can enable server identity checks by accessing the session via the message created by SimpleMessageBuilder and setting the property `mail.smtps.ssl.checkserveridentity` to true.