From SecurityFocus.com: The MimeMessage method in the Sun JavaMail API does not perform sufficient validation on message number values that are passed to the method during requests. An attacker that can successfully authenticate to an email server implementation that is written using the Sun JavaMail API, may exploit this issue to make requests for arbitrary email messages that are stored on the server. -- I am not sure if it actually effects us at the moment, since it says that versions 1.3 and 1.3.2 are vulnerable. In the tree we have version 1.3.1. Please decide what to do with the bug and check if it effects 1.3.1 too. Reproducible: Always Steps to Reproduce:
java please advise.
No fix yet from Sun.
1.3.3 is in "early release" stage. Maybe it contains the fixorz.
1.3.3 is out, and apparently the thing wasn't fixed : http://java.sun.com/products/javamail/CHANGES.txt I think we should close this one as CANTFIX and declare this a feature, not a vulnerability. Servers using JavaMail for implementation can put protections in place to avoid the problem...
Since upstream doesn't consider this a vulnerability, we'll suppose tey consider it is a feature to be able to request any messageno as any user, and the task of the API implementer to put additional safeguards if needed. Closing as CANTFIX. Reopen if you disagree.
