What is the vulnerability ID?

The vulnerability ID is CVE-2021-44549.

What is the severity of CVE-2021-44549?

The severity of CVE-2021-44549 is high (7.4).

What is the affected software for CVE-2021-44549?

The affected software for CVE-2021-44549 is Apache Sling Commons Messaging Mail version 1.0.0.

How does CVE-2021-44549 impact the software?

CVE-2021-44549 allows for potential 'man in the middle' attacks when accessing mail servers via SMTPS.

Is there a fix available for CVE-2021-44549?

Yes, the fix for CVE-2021-44549 is to perform additional server identity checks when accessing mail servers.

Vulnerability/
CVE-2021-44549

high

7.4

CWE

295 297

14/12/2021

21/11/2024

CVE-2021-44549: SMTPS server hostname not checked when making TLS connection to SMTPS server

First published: Tue Dec 14 2021(Updated: )

Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429

Credit: security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
Apache Sling Commons Messaging Mail	=1.0.0
	=1.0.0

Never miss a vulnerability like this again

Reference Links

https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f

Frequently Asked Questions

What is the vulnerability ID?
The vulnerability ID is CVE-2021-44549.
What is the severity of CVE-2021-44549?
The severity of CVE-2021-44549 is high (7.4).
What is the affected software for CVE-2021-44549?
The affected software for CVE-2021-44549 is Apache Sling Commons Messaging Mail version 1.0.0.
How does CVE-2021-44549 impact the software?
CVE-2021-44549 allows for potential 'man in the middle' attacks when accessing mail servers via SMTPS.
Is there a fix available for CVE-2021-44549?
Yes, the fix for CVE-2021-44549 is to perform additional server identity checks when accessing mail servers.

collector/nvd-index
agent/weakness
agent/type
collector/mitre-cve
source/MITRE
agent/references
agent/severity
agent/title
agent/description
agent/first-publish-date
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
agent/author
agent/softwarecombine
agent/event
agent/tags
agent/source
vendor/apache
canonical/apache sling commons messaging mail
version/apache sling commons messaging mail/1.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.