The MimeMessage method in the Sun JavaMail API does not perform sufficient
validation on message number values that are passed to the method during
requests. An attacker that can successfully authenticate to an email server
implementation that is written using the Sun JavaMail API, may exploit this
issue to make requests for arbitrary email messages that are stored on the server.
I am not sure if it actually effects us at the moment, since it says that
versions 1.3 and 1.3.2 are vulnerable. In the tree we have version 1.3.1. Please
decide what to do with the bug and check if it effects 1.3.1 too.
Steps to Reproduce:
java please advise.
No fix yet from Sun.
1.3.3 is in "early release" stage. Maybe it contains the fixorz.
1.3.3 is out, and apparently the thing wasn't fixed :
I think we should close this one as CANTFIX and declare this a feature, not a
vulnerability. Servers using JavaMail for implementation can put protections in
place to avoid the problem...
Since upstream doesn't consider this a vulnerability, we'll suppose tey consider
it is a feature to be able to request any messageno as any user, and the task of
the API implementer to put additional safeguards if needed.
Closing as CANTFIX. Reopen if you disagree.