CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40110 – Apache James IMAP vulnerable to a ReDoS
https://notcve.org/view.php?id=CVE-2021-40110
In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking. En Apache James, usando Jazzer fuzzer, identificamos que un usuario de IMAP puede diseñar comandos IMAP LIST para orquestar una denegación de servicio usando una expresión regular vulnerable. Esto afectaba a Apache James versiones anteriores a 3.6.1. Recomendamos actualizar a Apache James versión 3.6.1 o superior, que refuerza el uso del motor de expresiones regulares RE2J para ejecutar regex en tiempo lineal sin retroceso • http://www.openwall.com/lists/oss-security/2022/01/04/2 https://www.openwall.com/lists/oss-security/2022/01/04/2 •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38542 – Apache James vulnerable to STARTTLS command injection (IMAP and POP3)
https://notcve.org/view.php?id=CVE-2021-38542
Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information. Apache James versiones anteriores a 3.6.1, es vulnerable a un ataque de buffering que es basado en el uso del comando STARTTLS. Esto puede resultar en ataques de inyección de comandos de tipo "Man-in-the-middle", conllevando potencialmente a un filtrado de información confidencial • http://www.openwall.com/lists/oss-security/2022/01/04/1 http://www.openwall.com/lists/oss-security/2022/09/20/1 https://www.openwall.com/lists/oss-security/2022/01/04/1 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 1CVE-2006-2806
https://notcve.org/view.php?id=CVE-2006-2806
The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a long argument to the MAIL command. • http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt http://securityreason.com/securityalert/1038 http://www.securityfocus.com/archive/1/435278/100/0/threaded http://www.securityfocus.com/bid/18138 https://exchange.xforce.ibmcloud.com/vulnerabilities/26786 •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2004-2650
https://notcve.org/view.php?id=CVE-2004-2650
Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak. • http://issues.apache.org/jira/browse/JAMES-268 http://james.apache.org/changelog.html http://www.securityfocus.com/bid/15765 •