You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "AJIT GOPALAN (Jira)" <ji...@apache.org> on 2022/02/14 21:58:00 UTC

[jira] [Created] (TOMEE-3838) TomEE Plume - CVE-2021-40110

AJIT GOPALAN created TOMEE-3838:
-----------------------------------

             Summary: TomEE Plume - CVE-2021-40110
                 Key: TOMEE-3838
                 URL: https://issues.apache.org/jira/browse/TOMEE-3838
             Project: TomEE
          Issue Type: Bug
          Components: TomEE Core Server
    Affects Versions: 8.0.9
            Reporter: AJIT GOPALAN


TomEE Plume 8.0.9 suffers from CVE-2021-40110

This is a bug in Apache James, that manifests itself through the Geronimo Mail jar dependency in TomEE ({_}layer.tar: apache-tomee-8.0.9-plume.tar.gz: apache-tomee-8.0.9-plume.tar: geronimo-javamail_1.6_mail-1.0.1.jar (shaded: org.apache.james:apache-mime4j-core:0.8.1){_})

CVE Summary - 
_"In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking."_
[https://nvd.nist.gov/vuln/detail/CVE-2021-40110#vulnCurrentDescriptionTitle]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)