ReadMessage.jsp in JavaMail API 1.1.3 up to and including 1.3, as used by Apache Tomcat 5.0.16, allows remote malicious users to view other users' e-mail attachments via a direct request to /mailboxesdir/username@domainname. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
sun javamail 1.1.3 |
||
sun javamail 1.3 |
||
sun javamail 1.2 |