CVE-2021-40110: Regular expression Denial of Service

January 4, 2022 (updated May 14, 2024)

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

References

www.openwall.com/lists/oss-security/2022/01/04/2
nvd.nist.gov/vuln/detail/CVE-2021-40110
www.openwall.com/lists/oss-security/2022/01/04/2

Detect and mitigate CVE-2021-40110 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →