Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2022/09/20/1 | Mailing List Third Party Advisory |
https://james.apache.org/james/update/2022/08/26/james-3.7.1.html | Patch Release Notes Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
30 Sep 2022, 19:16
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) http://www.openwall.com/lists/oss-security/2022/09/20/1 - Mailing List, Third Party Advisory |
20 Sep 2022, 12:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Sep 2022, 20:04
Type | Values Removed | Values Added |
---|---|---|
First Time |
Apache
Apache james |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
References | (MISC) https://james.apache.org/james/update/2022/08/26/james-3.7.1.html - Patch, Release Notes, Vendor Advisory | |
CPE | cpe:2.3:a:apache:james:*:*:*:*:*:*:*:* cpe:2.3:a:apache:james:3.7.0:*:*:*:*:*:*:* |
|
CWE | CWE-77 |
08 Sep 2022, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-08 08:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-28220
Mitre link : CVE-2022-28220
CVE.ORG link : CVE-2022-28220
JSON object : View
Products Affected
apache
- james
CWE
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')