CVE-2021-40110

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/org.apache.james/james-server

Identifiers

GHSA-r58x-wjg8-63m9, CVE-2021-40110

Package Slug

maven/org.apache.james/james-server

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

Affected Versions

All versions before 3.6.1

Solution

Upgrade to version 3.6.1 or above.

Last Modified

2022-01-11

source