JavaMail API 1.1.3 up to and including 1.3, as used by Apache Tomcat 5.0.16, allows remote malicious users to read arbitrary files via a full pathname in the argument to the Download parameter. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
sun javamail 1.1.3 |
||
sun javamail 1.3 |
||
sun javamail 1.2 |
||
apache tomcat apache tomcat 5.0.16 |
||
sun javamail 1.3.2 |