CVE-2024-21742
Header Injection vulnerability in apache-mime4j-core (Maven)
What is CVE-2024-21742 About?
This vulnerability is an improper input validation issue in the MIME4J library when composing messages using MIME4J DOM. It allows for header injection, enabling attackers to add unintended headers to MIME messages. Exploitation is remote and requires crafting specific input to the message composition function.
Affected Software
Technical Details
The vulnerability exists in the MIME4J library and specifically impacts scenarios where the MIME4J DOM is used for composing MIME messages. The root cause is improper input validation for headers. An attacker can supply input that, when processed by the message composition function, is not correctly sanitized or escaped. This allows the attacker to inject additional header fields into the MIME message that were not intended by the application developer. For instance, by including newline characters or other special characters within a user-controlled header value, the attacker can break out of the intended header and insert new, entirely arbitrary header fields (e.g., Bcc, X-Mailer, or custom malicious headers). This enables an attacker to manipulate the structure and content of the generated MIME message beyond its legitimate purpose.
What is the Impact of CVE-2024-21742?
Successful exploitation may allow attackers to spoof sender addresses, inject malicious content into email headers, bypass security filters, or perform phishing attacks by manipulating MIME message properties.
What is the Exploitability of CVE-2024-21742?
Exploitation of this vulnerability is of moderate complexity. An attacker needs to identify an application that uses the MIME4J library to compose MIME messages (e.g., for email sending, document packaging, or web service communication) and feed it specifically crafted input that will be used to populate a header field. The injection typically relies on including newline characters or other header-terminating sequences within the user-supplied data. No authentication is strictly required if the message composition functionality is exposed to unauthenticated users, such as through a contact form. No specific privileges are needed beyond submitting the malformed input. This is a remote vulnerability. The primary risk factors are applications that construct MIME messages using MIME4J DOM with user-controlled data provided as header values without proper sanitization, especially in email generation or communication systems.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21742?
Available Upgrade Options
- org.apache.james:apache-mime4j-core
- <0.8.10 → Upgrade to 0.8.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/james-mime4j
- https://github.com/apache/james-mime4j/commit/9dec5df2a588fed8027839815daefa79ee66efd1
- https://lists.apache.org/thread/nrqzg93219wdj056pqfszsd33dc54kfy
- https://github.com/apache/james-mime4j/commit/d25fb3fd35db42b060789a20634fbe3cb84aba17
- http://www.openwall.com/lists/oss-security/2024/02/27/5
- https://nvd.nist.gov/vuln/detail/CVE-2024-21742
- https://lists.apache.org/thread/nrqzg93219wdj056pqfszsd33dc54kfy
- https://osv.dev/vulnerability/GHSA-jw7r-rxff-gv24
- http://www.openwall.com/lists/oss-security/2024/02/27/5
What are Similar Vulnerabilities to CVE-2024-21742?
Similar Vulnerabilities: CVE-2017-7661 , CVE-2015-1833 , CVE-2018-1000632 , CVE-2013-4316 , CVE-2019-12403
