CVE-2022-22931

Name of the Vulnerable Software and Affected Versions Apache James Server versions prior to 3.6.2

Description The issue enables a user to access other users' data stores, limited to user names being prefixed by the value of the username being used. This is due to a path traversal vulnerability where the fix does not prepend delimiters upon valid directory validations. Affected implementations include the maildir mailbox store and the Sieve file repository.

Recommendations For versions prior to 3.6.2, update to version 3.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the maildir mailbox store and the Sieve file repository to minimize the risk of exploitation. Avoid using usernames that could be prefixed by other usernames to limit the potential for data access by other users.