Описание
In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
A flaw was found in com.sun.mail/jakarta.mail. The jakarta.mail component allows an attacker to inject SMTP messages by exploiting improper handling of carriage return and newline characters encoded in UTF-8. An unauthenticated attacker can leverage this vulnerability to send arbitrary SMTP messages. This injection occurs via crafted email content, potentially leading to unauthorized message transmission.
Отчет
The assigned Moderate severity reflects that while the vulnerability can be exploited remotely, it requires an attacker to have some level of privilege on the system. The impact is primarily on the integrity of email messages, without affecting confidentiality or availability. This aligns with Red Hat's definition of a Moderate impact flaw, where exploitation is more difficult but could still lead to a compromise of resource integrity under specific circumstances. This vulnerability affects Jakarta Mail v2.2. The affected version of Jakarta Mail is not shipped in Red Hat products.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel 4 for Quarkus 3 | angus-mail | Fix deferred | ||
| Red Hat build of Apache Camel for Spring Boot 4 | angus-mail | Fix deferred | ||
| Red Hat build of Apicurio Registry 3 | angus-mail | Fix deferred | ||
| Red Hat Build of Keycloak | angus-mail | Fix deferred | ||
| Red Hat build of Quarkus | angus-mail | Fix deferred | ||
| Red Hat Data Grid 8 | angus-mail | Fix deferred | ||
| Red Hat Data Grid 8 | jakarta.mail | Not affected | ||
| Red Hat Enterprise Linux 9 | jmc | Not affected | ||
| Red Hat Fuse 7 | jakarta.mail | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | jakarta.mail | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by ut ...
EPSS
5.3 Medium
CVSS3