CVE-2021-40110: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

January 8, 2022

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

References

github.com/advisories/GHSA-r58x-wjg8-63m9
nvd.nist.gov/vuln/detail/CVE-2021-40110

Detect and mitigate CVE-2021-40110 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →