SMTP Header Injection Vulnerability in Apache Commons Email by Apache
CVE-2017-9801

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Commons Email
Vendor
CVE Published:
7 August 2017

Summary

This vulnerability in Apache Commons Email versions 1.0 to 1.4 allows an attacker to inject arbitrary SMTP headers by exploiting line breaks in the email subject. When a call-site passes a subject containing line breaks, it can alter the email structure and introduce harmful headers, potentially leading to unauthorized actions, spam, or information leakage.

Affected Version(s)

Apache Commons Email 1.0 to 1.4

References

https://lists.apache.org/thread.html/7ef903a772a2ff08605d...
mailing-listx_refsource_MLIST
http://www.securitytracker.com/id/1039043
vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/100082
vdb-entryx_refsource_BID

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.