oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2022-28220: STARTTLS command injection in Apache JAMES

From: Benoit Tellier <btellier () apache org>
Date: Mon, 19 Sep 2022 23:13:25 +0000
Severity: This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible 
information like user credentials. Exploit in IMAP requires a local account but SMTP exploit does not. Data integrity 
could be compromised in POP3.

Description:

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS 
command. 

Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do 
not take into account concurrent requests.



This issue is being tracked as JAMES-1862

Mitigation:

Upgrade to Apache James 3.7.1 or Apache James 3.6.3.

Credit:

Apache James PMC would like to thanks Benoit TELLIER for this report, and Fabian Ising for his support.

References:

https://james.apache.org/james/update/2022/08/26/james-3.7.1.html
Previous By Date Next
Previous By Thread Next

Current thread: