#VU98523 Improper Certificate Validation in Apache Sling Commons Messaging Mail - CVE-2021-44549


Vulnerability identifier: #VU98523

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-44549

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Sling Commons Messaging Mail
Server applications / Other server solutions

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper certificate validation when sending emails via SMTPS. A remote attacker can perform MitM attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Sling Commons Messaging Mail: 1.0.0

External links
https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Keycloak update for Apache Sling Commons Messaging Mail
Red Hat Product OCP Tools 4 update for Openshift Jenkins
Red Hat Product OCP Tools 4 update for Openshift Jenkins
Red Hat Product OCP Tools 4 update for Openshift Jenkins
Red Hat Product OCP Tools 4 update for Openshift Jenkins
Multiple vulnerabilities in Red Hat build of Quarkus 3.2.12
Multiple vulnerabilities in Red Hat build of Quarkus 3.8.6
MitM attack in Apache Sling Commons Messaging Mail