CVE-2022-28220

Summary

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache JamesApache James <= 3.6.2affected

Weaknesses

  • CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Workarounds

Upgrade to Apache James 3.7.1 or Apache James 3.6.3.

ADP Enrichment

CVE Program Container

Additional References

References