If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String).
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-9801
### Vulnerable Library - commons-email-1.2.jar
Commons-Email aims to provide an API for sending email. It is built on top of
the JavaMail API, which it aims to simplify.
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.
Commons-Email aims to provide an API for sending email. It is built on top of the JavaMail API, which it aims to simplify.
Library home page: http://commons.apache.org/email/
Path to vulnerable library: /lib/commons-email-1.2.jar
Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2018-1294
### Vulnerable Library - commons-email-1.2.jarCommons-Email aims to provide an API for sending email. It is built on top of the JavaMail API, which it aims to simplify.
Library home page: http://commons.apache.org/email/
Path to vulnerable library: /lib/commons-email-1.2.jar
Dependency Hierarchy: - :x: **commons-email-1.2.jar** (Vulnerable Library)
Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2
Found in base branch: main
### Vulnerability DetailsIf a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String).
Publish Date: 2018-03-20
URL: CVE-2018-1294
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-v7cm-w955-pj6g
Release Date: 2018-03-20
Fix Resolution: org.apache.commons:commons-email:1.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-9801
### Vulnerable Library - commons-email-1.2.jarCommons-Email aims to provide an API for sending email. It is built on top of the JavaMail API, which it aims to simplify.
Library home page: http://commons.apache.org/email/
Path to vulnerable library: /lib/commons-email-1.2.jar
Dependency Hierarchy: - :x: **commons-email-1.2.jar** (Vulnerable Library)
Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2
Found in base branch: main
### Vulnerability DetailsWhen a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.
Publish Date: 2017-08-07
URL: CVE-2017-9801
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9801
Release Date: 2017-08-07
Fix Resolution: 1.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)