-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Email 1.0 to 1.4.

Description:
When a call-site passes a subject for an email that contains
line-breaks, the caller can add arbitrary SMTP headers.

Mitigation:
Users should upgrade to Commons Email 1.5.
You can mitigate this vulnerability for older versions of Commons
Email by stripping line-breaks from the subject before passing it to
the setSubject(String) method.

Credit:
This issue was discovered by ´╗┐Adam Williams.

References:
http://commons.apache.org/proper/commons-email/security-reports.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlmAyP8ACgkQohFa4V9ri3K7XQCgj69yH9nkBGRVJBG9+0DS1jc8
GJUAnRZrLznaNRzokj08JGBMy5wwHNTt
=oSDx
-----END PGP SIGNATURE-----

Reply via email to