Information Disclosure Vulnerability in Apache Pony Mail by Apache Software Foundation
CVE-2017-5658

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Pony Mail
Vendor: CVE Published:; 4 October 2018

What is CVE-2017-5658?

The statistics generator in Apache Pony Mail version 0.7 to 0.9 improperly manages timestamp data, lacking sufficient authorization checks. This oversight can lead to derived information disclosures regarding the timing of email subjects or text bodies within private lists, although it does not expose the content of those emails. Due to its role as a caching mechanism for improved loading times, caching was set to be off by default to mitigate the risk. It is recommended that users of version 0.9 upgrade to version 0.10 to rectify this issue.

Affected Version(s)

Apache Pony Mail 0.7 to 0.9 (incubating)

References

https://lists.apache.org/thread.html/6a18cf5690d54231836f...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 4, 2018
Vulnerability Reserved
Jan 29, 2017

CVE-2017-5658 Data

JSON