CVE-2018-1294

{"id": "CVE-2018-1294", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-03-20T17:29:00.207", "references": [{"url": "http://seclists.org/oss-sec/2018/q1/107", "tags": ["Mitigation", "Mailing List", "Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called \"Bounce Address\", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String)."}, {"lang": "es", "value": "Si un usuario de Apache Commons Email (normalmente un programador de aplicaciones) pasa entradas no validadas como \"Bounce Address\" que contienen saltos de l\u00ednea, los detalles de email (destinatarios, contenido, etc.) podr\u00edan ser manipulados. Mitigaci\u00f3n: Los usuarios deber\u00edan actualizar a Commons-Email 1.5. Se puede mitigar esta vulnerabilidad en versiones antiguas de Commons Email eliminando los saltos de l\u00ednea de los datos que ser\u00e1n pasados a Email.setBounceAddress(String)."}], "lastModified": "2019-03-07T14:19:35.183", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:commons_email:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D40F5E36-3CFC-4DD5-8260-05923D072A0D", "versionEndIncluding": "1.4", "versionStartIncluding": "1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}