Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2005-1754

CWE-200 — Information Exposure4 documents4 sources

Severity

5.0MEDIUM

EPSS

8.9%

top 7.45%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Tomcat Apache Tomcat SUN Javamail

Timeline

PublishedDec 31

Latest updateMay 1

Description

JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to read arbitrary files via a full pathname in the argument to the Download parameter. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDapache_tomcat/apache_tomcat5.0.16

▶NVDsun/javamail4 versions+3

🔴Vulnerability Details

GHSA

GHSA-h69g-x235-8mrr: ** DISPUTED ** JavaMail API 1↗2022-05-01

▶

CVEList

CVE-2005-1754: JavaMail API 1↗2006-05-21

▶

💥Exploits & PoCs

Exploit-DB

Sun JavaMail 1.x - Multiple Information Disclosure Vulnerabilities↗2005-05-24

▶