CVE-2018-1294 - Improper Input Validation

Severity: Low2021-12-08

Security Advisories

Abstract

If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated.

The Oxygen XML products incorporates the Apache Commons Email as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion 4.1 and olderLow Oxygen Content Fusion 4.1.2 build 2021112414

Mitigation

None

Detail

CVE-2018-1294

Severity: high

CVSS Score: 7.5

The Apache Commons Email third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2018-1294 vulnerability description. However, the Oxygen XML software products validate input before being passed to Email.setBounceAddress(String). Therefore Oxygen XML software products are not impacted by CVE-2018-1294.

Starting with Oxygen Content Fusion version 4.1, the Apache Commons Email was updated to version 1.5, which includes a fix for CVE-2018-1294.

List of Security Advisories