Apache Commons logo Commons Email

General Information

For information about reporting or asking questions about security problems, please see the security page of the Commons project.

Apache Commons Email Security Vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Commons Email. Each vulnerability is given a security impact rating by the development team - please note that this rating may vary from platform to platform. We also list the versions of Commons Email the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Commons Email version that you are using.

If you need help on building Commons Email or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Commons Users mailing list.

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.

Fixed in Apache Commons Email 1.5

Low: SMTP header injection vulnerabilty CVE-2017-9801

When passing text that contains line-breaks as the subject of an email arbitrary SMTP headers can be added.

This was fixed in revisions 1801385 1801388 and 1801389.

This was first reported to the Security Team on 27 June 2017 and made public on 1 August 2017.

Affects: 1.0 - 1.4

Moderate: Insufficient input validation for bounce address CVE-2018-1294

When passing text that contains line-breaks as the bounce address of an Email, then the email details (SMTP headers, recipient list, contents) can be manipulated.

This was fixed in revisions 1777030

This was first reported to the Security Team on 02-Sep-2016 and made public on 26-Jan-2018.

Affects: 1.0-1.4

Errors and Ommissions

Please report any errors or omissions to the dev mailing list.