It is possible to set a subject which contains newlines and custom SMTP protocol directives which directly sets the body of the email. This can be an issue when the subject comes from an external resource.

As a matter of precaution, Simple Java Mail should simply remove newline characters from all values (except for the body).

Also see:

• http://www.cakesolutions.net/teamblogs/2008/05/08/email-header-injection-security
• https://security.stackexchange.com/a/54100/110048
• https://www.owasp.org/index.php/Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)
• http://cwe.mitre.org/data/definitions/93.html

Released in 4.3.0.