Bug 1540000 (CVE-2018-1294) - CVE-2018-1294 apache-commons-email: Improper validation in Email.setBounceAddress() can allow for email modification
Summary: CVE-2018-1294 apache-commons-email: Improper validation in Email.setBounceAdd...
Status: CLOSED ERRATA
Alias: CVE-2018-1294
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180126,repor...
Keywords: Security
Depends On: 1540001
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-30 03:34 UTC by Sam Fowler
Modified: 2019-04-04 12:54 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-04-04 12:54:27 UTC


Attachments (Terms of Use)

Description Sam Fowler 2018-01-30 03:34:46 UTC
Apache Commons-Email, from version 1.0 to 1.4 inclusive, does not properly validate bounce addresses. If a user of Commons-Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated.

External References:
http://openwall.com/lists/oss-security/2018/01/26/5

Upstream Revision:
https://svn.apache.org/viewvc?view=revision&revision=1777030

Comment 1 Sam Fowler 2018-01-30 03:35:05 UTC
Created apache-commons-email tracking bugs for this issue:

Affects: fedora-all [bug 1540001]


Note You need to log in before you can comment on or make changes to this bug.