Vulnerability Details : CVE-2005-1753
ReadMessage.jsp in JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to view other users' e-mail attachments via a direct request to /mailboxesdir/username@domainname. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products.
Products affected by CVE-2005-1753
- cpe:2.3:a:sun:javamail:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:sun:javamail:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:sun:javamail:1.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2005-1753
0.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2005-1753
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2005-1753
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2005-1753
-
Red Hat 2006-08-30We do not believe this is a security issue; this is a deliberate circumvention of the Javamail API. The Javamail API provides a comprehensive and secure method to retrieve mail. In this example, the author retreives the message directly from the mail directory on the filesystem. Even if the user insists on using this incorrect way of accessing mail, then the permissions set by the dovecot and tomcat packages are enough to protect against direct access to most of the files listed in the bug report.
References for CVE-2005-1753
-
http://tomcat.apache.org/security-5.html
Apache Tomcat® - Apache Tomcat 5 vulnerabilities
-
http://marc.info/?l=bugtraq&m=111697083812367&w=2
'Javamail Multiple Information Disclosure Vulnerabilities' - MARC
Jump to