Skip to content

Denial of Service in Apache James

High severity GitHub Reviewed Published Jan 8, 2022 to the GitHub Advisory Database • Updated May 15, 2024

Package

maven org.apache.james:james-server (Maven)

Affected versions

>= 3.1.0, < 3.6.1

Patched versions

3.6.1

Description

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

References

Published by the National Vulnerability Database Jan 4, 2022
Reviewed Jan 7, 2022
Published to the GitHub Advisory Database Jan 8, 2022
Last updated May 15, 2024

Severity

High

EPSS score

0.177%
(56th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2021-40110

GHSA ID

GHSA-r58x-wjg8-63m9

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.