CVE-2021-38542

CWE-77 — Command Injection CWE-327 — Broken Cryptographic Algorithm5 documents4 sources

Severity

5.9MEDIUM

EPSS

0.6%

top 30.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache James Apache James

Timeline

PublishedJan 4

Latest updateSep 9

Description

Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/james< 3.6.1

▶Mavenorg.apache.james:james-server< 3.6.1

▶CVEListV5apache_software_foundation/apache_jamesApache James — 3.6.1+1

🔴Vulnerability Details

GHSA

Apache James vulnerable to buffering attack↗2022-09-09

▶

OSV

Command Injection in Apache James↗2022-01-08

▶

GHSA

Command Injection in Apache James↗2022-01-08

▶

CVEList

Apache James vulnerable to STARTTLS command injection (IMAP and POP3)↗2022-01-04

▶