CVE-2017-5658

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-5658

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5658.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-5658

Published

2018-10-04T14:29:00Z

Modified

2025-01-14T07:12:46.728065Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

The statistics generator in Apache Pony Mail 0.7 to 0.9 was found to be returning timestamp data without proper authorization checks. This could lead to derived information disclosure on private lists about the timing of specific email subjects or text bodies, though without disclosing the content itself. As this was primarily used as a caching feature for faster loading times, the caching was disabled by default to prevent this. Users using 0.9 should upgrade to 0.10 to address this issue.

References

https://lists.apache.org/thread.html/6a18cf5690d54231836f277f2b4346b53da3b6b6b08fee4c4ef4977e%40%3Cdev.ponymail.apache.org%3E

Affected packages

Git / github.com/apache/incubator-ponymail

Affected ranges

Type: GIT
Repo: https://github.com/apache/incubator-ponymail
Events: Introduced

db2596f1083154cef2a1fb73fe9b5d13ad5ae482

Last affected

116797982cec1e483349ed48a397e0b0cdad5b1d

Affected versions

0.*

0.7b

0.8b

0.9