PT-2018-8256 · Apache · Apache Pony Mail
Published
2018-10-04
·
Updated
2019-01-08
·
CVE-2017-5658
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Apache Pony Mail versions 0.7 through 0.9
Description:
The statistics generator in Apache Pony Mail was found to be returning timestamp data without proper authorization checks, potentially leading to derived information disclosure on private lists about the timing of specific email subjects or text bodies. This issue was primarily related to a caching feature used for faster loading times, which was disabled by default to prevent this.
Recommendations:
For Apache Pony Mail versions 0.7 through 0.9, upgrade to version 0.10 to address this issue.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Pony Mail