You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@james.apache.org by Benoit Tellier <bt...@apache.org> on 2022/09/19 23:13:25 UTC

CVE-2022-28220: STARTTLS command injection in Apache JAMES

Severity: This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information like user credentials. Exploit in IMAP requires a local account but SMTP exploit does not. Data integrity could be compromised in POP3.

Description:

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. 

Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.



This issue is being tracked as JAMES-1862

Mitigation:

Upgrade to Apache James 3.7.1 or Apache James 3.6.3.

Credit:

Apache James PMC would like to thanks Benoit TELLIER for this report, and Fabian Ising for his support.

References:

https://james.apache.org/james/update/2022/08/26/james-3.7.1.html


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org