Information Disclosure in JavaMail API Used by Apache Tomcat
CVE-2005-1754

Currently unrated

Key Information:

Vendor: Oracle
Status: Javamail; Apache Tomcat
Vendor: CVE Published:; 31 December 2005

What is CVE-2005-1754?

The JavaMail API versions 1.1.3 through 1.3, utilized by Apache Tomcat 5.0.16, can be exploited by remote attackers to read arbitrary files. This is achievable by providing a full pathname in the Download parameter argument. The issue arises from the way JavaMail processes requests, potentially exposing sensitive file information. Discrepancies between Sun and Apache concerning the validity of the vulnerabilities reported have been noted.

References

http://marc.info/?l=bugtraq&m=111697083812367&w=2

mailing-listx_refsource_BUGTRAQ

http://www.securityfocus.com/bid/13753

vdb-entryx_refsource_BID

http://tomcat.apache.org/security-5.html

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 31, 2005
Vulnerability Reserved
May 26, 2005

Oracle

What is CVE-2005-1754?

References

Timeline