GHSA-r58x-wjg8-63m9, CVE-2021-40110
maven/org.apache.james/james-server
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.
All versions before 3.6.1
Upgrade to version 3.6.1 or above.
2022-01-11
source |