CVE-2021-40525

CWE-22Path Traversal5 documents4 sources
Severity
9.1CRITICAL
EPSS
2.8%
top 13.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache JamesApache Software Foundation Apache James
Timeline
PublishedJan 4
Latest updateFeb 8

Description

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

NVDapache/james< 3.6.2
CVEListV5apache_software_foundation/apache_jamesApache James3.6.0+1

🔴Vulnerability Details

4
GHSA
Path Traversal in Apache James Server2022-02-08
OSV
Path traversal in Apache James2022-01-21
GHSA
Path traversal in Apache James2022-01-21
CVEList
Sieve file storage vulnerable to path traversal attacks2022-01-04
CVE-2021-40525 (CRITICAL CVSS 9.1) | Apache James ManagedSieve implement | cvebase.io