[LPS-74275] COMMONS-EMAIL and CVE-2017-9801 - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 7.0.3 CE GA4
Fix Version/s: 6.2.X EE, 7.0.0 DXP FP33, 7.0.0 DXP SP7, 7.0.5 CE GA6, 7.0.X, Master
Component/s: Core Infrastructure > Message Bus, Portal Services > Service Bus
Labels:

Branch Version/s:

7.0.x, 6.2.x
Backported to Branch:

Committed
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/51893
Bug Type:
Security

Description

The source code responsible for creating emails, independently from origin, is not checking the Subject line.

Emails sent to the message bus or mail service that eventually lands here: https://github.com/liferay/liferay-portal/blob/master/portal-kernel/src/com/liferay/mail/kernel/model/MailMessage.java could benefit from multi-line check or sanitation.

https://nvd.nist.gov/vuln/detail/CVE-2017-9801

Upgrading the library would be a great plus, but it seems that a version change would affect several components and even third party software/plug-ins.

Attachments

Issue Links

relates

LPE-16207 CVE-2017-9801 vulnerability in Commons Emails

Closed

Activity

People

Assignee:: Brian Chan

Reporter:: Victor de Lima Soares

Participants of an Issue:: Brian Chan, Raymond Auge, Victor de Lima Soares, Yuxing Wu

Recent user:: Kiyoshi Lee

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 21/Aug/17 3:29 PM

Updated:: 10/Jul/19 5:26 AM

Resolved:: 12/Oct/17 6:39 PM

Days since last comment:: 5 years, 35 weeks, 6 days ago

Packages

Version	Package
6.2.X EE
7.0.0 DXP FP33
7.0.0 DXP SP7
7.0.5 CE GA6
7.0.X
Master