You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by Benoit Tellier <bt...@apache.org> on 2022/09/19 23:13:25 UTC
CVE-2022-28220: STARTTLS command injection in Apache JAMES
Severity: This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information like user credentials. Exploit in IMAP requires a local account but SMTP exploit does not. Data integrity could be compromised in POP3.
Description:
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.
Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.
This issue is being tracked as JAMES-1862
Mitigation:
Upgrade to Apache James 3.7.1 or Apache James 3.6.3.
Credit:
Apache James PMC would like to thanks Benoit TELLIER for this report, and Fabian Ising for his support.
References:
https://james.apache.org/james/update/2022/08/26/james-3.7.1.html
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org