PT-2018-11495 · Apache · Apache Commons Email

Alexander Lehmann

Published

2018-02-24

Updated

2022-05-14

CVE-2018-1294

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Apache Commons Email versions prior to 1.5

Description The issue allows manipulation of email details, such as recipients and contents, if unvalidated input containing line-breaks is passed as the "Bounce Address".

Recommendations For versions prior to 1.5, strip line-breaks from data passed to Email.setBounceAddress(String) as a mitigation measure. Upgrade to Commons-Email 1.5 to resolve the issue.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2018-1294

GHSA-V7CM-W955-PJ6G

MGASA-2018-0136

Affected Products

Apache Commons Email

PT-2018-11495 · Apache · Apache Commons Email

CVE-2018-1294

Weakness Enumeration

Related Identifiers

Affected Products

References · 12