CVE-2022-28220

Improper Neutralization of Special Elements used in a Command ('Command Injection') in maven/org.apache.james/james-server

Identifiers

GHSA-w45j-f5g5-w94x, CVE-2022-28220

Package Slug

maven/org.apache.james/james-server

Vulnerability

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Description

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.

Affected Versions

All versions before 3.6.3, version 3.7.0

Solution

Upgrade to versions 3.6.3, 3.7.1 or above.

Last Modified

2022-09-15

source