Published:2016/10/13  Last Updated:2016/10/13

JVN#70380788
BASP21 vulnerable to mail header injection

Overview

BASP21 contains a mail header injection vulnerability.

Products Affected

BASP21

  • Bsmtp.dll prior to V2,7,5,31
  • Bsendm.exe prior to V2,7,5,31
BASP21 Pro
  • basp21p.dll versions prior to 1,0,704,16

Description

BASP21 provided by B21Soft, Inc. contains a mail header injection vulnerability.

Impact

The header of an email created by BASP21 to be sent from a web application mail form may be altered by an unauthenticated remote attacker. As a result, an unintended email may be sent or a denial-of-service (DoS) condition may be caused.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
B21Soft, Inc. Vulnerable 2016/10/13 B21Soft, Inc. website

References

JPCERT/CC Addendum

This issue was reported due to an insufficient fix for the vulnerability stated in JVN#86092776.

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Base Score: 4.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:P
Base Score: 5.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Tomoki Sanaki reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2007-1713
JVN iPedia JVNDB-2007-000226