Description
Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.
CVSS breakdown
CVSS 3.1
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Affected products
- Spring / Spring Boot4.0.0 – 4.0.6.1
- Spring / Spring Boot3.5.0 – 3.5.14.1
- Spring / Spring Boot3.4.0 – 3.4.17