CVE-2022-22931

CWE-22 — Path Traversal6 documents5 sources

Severity

4.3MEDIUM

EPSS

2.8%

top 13.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache James Apache James

Timeline

PublishedFeb 7

Latest updateJul 15

Description

Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.apache.james:james-server< 3.6.2

▶NVDapache/james3.6.1

▶CVEListV5apache_software_foundation/apache_jamesApache James 3.6.1

🔴Vulnerability Details

GHSA

Path Traversal in Apache James Server↗2022-02-08

▶

OSV

Path Traversal in Apache James Server↗2022-02-08

▶

CVEList

Path traversal in Apache James 3.6.1↗2022-02-07

▶

📋Vendor Advisories

Oracle

Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud (Node.js) — CVE-2021-22931↗2022-07-15

▶

Oracle

Oracle Oracle PeopleSoft Risk Matrix: Elastic Search (Node.js) — CVE-2021-22931↗2022-01-15

▶