1540000 – (CVE-2018-1294) CVE-2018-1294 apache-commons-email: Improper validation in Email.setBounceAddress() can allow for email modification

Bug 1540000 (CVE-2018-1294) - CVE-2018-1294 apache-commons-email: Improper validation in Email.setBounceAddress() can allow for email modification

Summary: CVE-2018-1294 apache-commons-email: Improper validation in Email.setBounceAdd...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-1294
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1540001
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-30 03:34 UTC by Sam Fowler
Modified:	2019-09-29 14:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:	apache-commons-email 1.5
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-04 12:54:27 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2018-01-30 03:34:46 UTC

Apache Commons-Email, from version 1.0 to 1.4 inclusive, does not properly validate bounce addresses. If a user of Commons-Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated.

External References:
http://openwall.com/lists/oss-security/2018/01/26/5

Upstream Revision:
https://svn.apache.org/viewvc?view=revision&amp;revision=1777030

Comment 1 Sam Fowler 2018-01-30 03:35:05 UTC

Created apache-commons-email tracking bugs for this issue:

Affects: fedora-all [bug 1540001]

Note You need to log in before you can comment on or make changes to this bug.