Lucene search

ApacheCVE-2018-1294

HistoryMar 20, 2018 - 5:29 p.m.

CVE-2018-1294

2018-03-2017:29:00

CWE-20

apache

web.nvd.nist.gov

apache commons email

bounce address

input validation

manipulation

vulnerability

mitigation

upgrade

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

44.1%

JSON

If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called “Bounce Address”, and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String).

Affected configurations

Nvd

Node

apachecommons_emailRange1.0–1.4

VendorProductVersionCPE
apachecommons_email*cpe:2.3:a:apache:commons_email:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	commons_email	*	cpe:2.3:a:apache:commons_email::::::::

CNA Affected

[
  {
    "product": "Apache Commons Email",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "versions prior to 1.5"
      }
    ]
  }
]