CVE-2021-44549— SMTPS server hostname not checked when making TLS connection to SMTPS server
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-44549
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SMTPS server hostname not checked when making TLS connection to SMTPS server
Source: NVD (National Vulnerability Database)
Vulnerability Description
Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
证书验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Sling Commons Messaging Mail 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Sling Commons Messaging Mail是美国Apache基金会的一款开源消息传递邮件服务。 Apache Sling Commons Messaging Mail 存在安全漏洞,该漏洞源于 Apache Sling Commons Messaging Mail 在 JavaMail/Jakarta Mail 之上为 OSGi 提供了一个简单的层,用于通过 SMTPS 发送邮件。为了降低中间人攻击的风险,在访问邮件服务器时必须执行额外的服务器身份检查。出于兼容性原因,Java
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Sling Commons Messaging Mail | Apache Sling Commons Messaging Mail 1.0.0 1.0.0 | - |
II. Public POCs for CVE-2021-44549
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-44549
请登录查看更多情报信息。
- https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7fx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2021-44549
Same Patch Batch · Apache Software Foundation · 2021-12-14 · 3 CVEs total
| CVE-2021-4104 | Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2 | |
| CVE-2021-45046 | Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a de |
IV. Related Vulnerabilities
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
Same weakness: CWE-295
V. Comments for CVE-2021-44549
No comments yet