All the vulnerabilites related to apache - james
Vulnerability from fkie_nvd
Published
2006-06-05 17:02
Modified
2024-11-21 00:12
Severity ?
Summary
The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a long argument to the MAIL command.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46288D7B-23FB-440D-8533-26870E081E70",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a long argument to the MAIL command."
}
],
"evaluatorSolution": "\"James\" is an acronym for the product Java Mail Enterprise Server.",
"id": "CVE-2006-2806",
"lastModified": "2024-11-21T00:12:08.070",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-06-05T17:02:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/1038"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/435278/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/18138"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26786"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/1038"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/435278/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/18138"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26786"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-08 08:15
Modified
2024-11-21 06:56
Severity ?
Summary
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/09/20/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://james.apache.org/james/update/2022/08/26/james-3.7.1.html | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/09/20/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://james.apache.org/james/update/2022/08/26/james-3.7.1.html | Patch, Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"matchCriteriaId": "423D85DB-E258-4B34-B941-99C4458273E6",
"versionEndIncluding": "3.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:james:3.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7D32CBE3-3A1D-4D8F-8C91-E127FAB55BFF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests."
},
{
"lang": "es",
"value": "Apache James versiones anteriores a 3.6.3 y 3.7.1, es vulnerable a un ataque de almacenamiento en b\u00fafer que depende del uso del comando STARTTLS.\u0026#xa0;La correcci\u00f3n de CVE-2021-38542, que resolvi\u00f3 un problema similar de Apache James versi\u00f3n 3.6.1, est\u00e1 sujeta a un diferencial de analizador y no toma en cuenta las peticiones simult\u00e1neas"
}
],
"id": "CVE-2022-28220",
"lastModified": "2024-11-21T06:56:58.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-08T08:15:07.813",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-04 09:15
Modified
2024-11-21 06:24
Severity ?
Summary
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/04/4 | Mailing List, Third Party Advisory | |
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/02/07/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://www.openwall.com/lists/oss-security/2022/01/04/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/04/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/02/07/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2022/01/04/4 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2735E9B4-1B98-473F-A295-6609E60474E0",
"versionEndExcluding": "3.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted."
},
{
"lang": "es",
"value": "La implementaci\u00f3n de Apache James ManagedSieve junto con el almacenamiento de archivos para los scripts de sieve es vulnerable a un salto de ruta, permitiendo leer y escribir cualquier archivo. Esta vulnerabilidad ha sido parcheada en Apache James versiones 3.6.1 y superiores. Recomendamos la actualizaci\u00f3n. Los productos distribuidos y basados en Cassandra tampoco est\u00e1n afectados"
}
],
"id": "CVE-2021-40525",
"lastModified": "2024-11-21T06:24:19.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-04T09:15:07.423",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/4"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/07/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/07/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/4"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-17 15:29
Modified
2024-11-21 04:16
Severity ?
Summary
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pdfbox:2.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "F8ECE6C6-5387-4750-9F67-DBBC039269D2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E8786909-2255-4799-BBCD-8B4618F5CEB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:james:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7E307B96-C1A9-46DC-83AF-F7DFE074BAD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
"matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "55543515-BE87-4D88-8F9B-130FCE792642",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0D32FE52-C11F-40F0-943A-4FD1241AA599",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6EE231C5-8BF0-48F4-81EF-7186814664CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F9284BB0-343D-46DE-B45D-68081BC20225",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "821A1FAA-6475-4892-97A5-10D434BC2C9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2AA5FF83-B693-4DAB-B585-0FD641266231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1D99F81D-61BB-4904-BE31-3367D4A98FD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "93866792-1AAE-40AE-84D0-21250A296BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "45AB3A29-0994-46F4-8093-B4A9CE0BD95F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2CA1E217-7551-4718-A813-7F55927C7829",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DE39702F-0176-4C0E-96BA-A344319776B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "AA4A9041-B9BC-451C-B1BD-4E2FD795BF27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D97050DD-2299-4480-A274-914EC6693E40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D952E04D-DE2D-4AE0-BFE6-7D9B7E55AC80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E2696CD1-9514-405D-A3B3-8308EC1FA571",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E1214FDF-357A-4BB9-BADE-50FB2BD16D10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F80CB000-C477-486C-838C-B2FE82647670",
"versionEndIncluding": "8.2.4.0",
"versionStartIncluding": "8.0.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0A6675A3-684B-4486-A451-C6688F1C821B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ED543A4C-B774-4578-AC5B-752434EAF197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
"matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*",
"matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "490B2C44-CECD-4551-B04F-4076D0E053C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*",
"matchCriteriaId": "55AE3629-4A66-49E4-A33D-6D81CC94962F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "48EFC111-B01B-4C34-87E4-D6B2C40C0122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D551CAB1-4312-44AA-BDA8-A030817E153A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "174A6D2E-E42E-4C92-A194-C6A820CD7EF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7569C0BD-16C1-441E-BAEB-840C94BE73EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF."
},
{
"lang": "es",
"value": "Apache PDFBox versi\u00f3n 2.0.14 no inicializa correctamente el analizador XML, lo que permite a los atacantes dependientes del contexto realizar ataques de Entidades Externas XML (XXE) por medio de un XFDF creado."
}
],
"id": "CVE-2019-0228",
"lastModified": "2024-11-21T04:16:32.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-17T15:29:00.703",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79%40%3Cusers.pdfbox.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c%40%3Ccommits.tika.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd%40%3Cserver-dev.james.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4%40%3Ccommits.tika.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d%40%3Cusers.pdfbox.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2%40%3Cserver-dev.james.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ/"
},
{
"source": "security@apache.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79%40%3Cusers.pdfbox.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c%40%3Ccommits.tika.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd%40%3Cserver-dev.james.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4%40%3Ccommits.tika.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d%40%3Cusers.pdfbox.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2%40%3Cserver-dev.james.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2004-12-31 05:00
Modified
2024-11-20 23:53
Severity ?
Summary
Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46288D7B-23FB-440D-8533-26870E081E70",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak."
}
],
"id": "CVE-2004-2650",
"lastModified": "2024-11-20T23:53:53.747",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2004-12-31T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://issues.apache.org/jira/browse/JAMES-268"
},
{
"source": "cve@mitre.org",
"url": "http://james.apache.org/changelog.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/15765"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://issues.apache.org/jira/browse/JAMES-268"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://james.apache.org/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/15765"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-07 19:15
Modified
2024-11-21 06:47
Severity ?
Summary
Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr | Mailing List, Vendor Advisory | |
| security@apache.org | https://www.openwall.com/lists/oss-security/2022/02/07/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2022/02/07/1 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9624C51D-A71D-44F0-96D9-1289F56AB4F9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used)."
},
{
"lang": "es",
"value": "La correcci\u00f3n de CVE-2021-40525 no antepone delimitadores a las comprobaciones de directorios. Las implementaciones afectadas incluyen: - Almac\u00e9n de buzones maildir - Repositorio de archivos Sieve Esto permite a un usuario acceder a almacenes de datos de otros usuarios (limitado a que los nombres de usuario lleven como prefijo el valor del nombre de usuario usado)"
}
],
"id": "CVE-2022-22931",
"lastModified": "2024-11-21T06:47:38.117",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-07T19:15:08.300",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/02/07/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/02/07/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-04 09:15
Modified
2024-11-21 06:23
Severity ?
Summary
In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/04/3 | Mailing List, Third Party Advisory | |
| security@apache.org | https://www.openwall.com/lists/oss-security/2022/01/04/3 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/04/3 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2022/01/04/3 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C857D994-8952-4A29-9B5C-CC3AADBAD82F",
"versionEndExcluding": "3.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade."
},
{
"lang": "es",
"value": "En Apache James, mientras es analizado con Jazzer la pila de an\u00e1lisis de IMAP, detectamos que los comandos APPEND y STATUS IMAP dise\u00f1ados pod\u00edan ser usados para desencadenar bucles infinitos resultando en costosos c\u00e1lculos de la CPU y excepciones OutOfMemory. Esto puede ser usado para un ataque de denegaci\u00f3n de servicio. El usuario de IMAP necesita estar autenticado para explotar esta vulnerabilidad. Esto afectaba a Apache James versiones anteriores a 3.6.1. Esta vulnerabilidad ha sido parcheada en Apache James versiones 3.6.1 y superiores. Recomendamos la actualizaci\u00f3n"
}
],
"id": "CVE-2021-40111",
"lastModified": "2024-11-21T06:23:35.487",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-04T09:15:07.377",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/3"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/3"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-04 09:15
Modified
2024-11-21 06:17
Severity ?
Summary
Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/04/1 | Mailing List, Third Party Advisory | |
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/09/20/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://www.openwall.com/lists/oss-security/2022/01/04/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/04/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/09/20/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2022/01/04/1 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C857D994-8952-4A29-9B5C-CC3AADBAD82F",
"versionEndExcluding": "3.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information."
},
{
"lang": "es",
"value": "Apache James versiones anteriores a 3.6.1, es vulnerable a un ataque de buffering que es basado en el uso del comando STARTTLS. Esto puede resultar en ataques de inyecci\u00f3n de comandos de tipo \"Man-in-the-middle\", conllevando potencialmente a un filtrado de informaci\u00f3n confidencial"
}
],
"id": "CVE-2021-38542",
"lastModified": "2024-11-21T06:17:23.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-04T09:15:07.267",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-327"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-03 08:15
Modified
2024-11-21 07:51
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a
malicious local user.
Administrators are advised to disable JMX, or set up a JMX password.
Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFB7B7EE-9A46-4E20-AF69-D74FB48C5C60",
"versionEndExcluding": "3.7.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user.\n\nAdministrators are advised to disable JMX, or set up a JMX password.\n\nNote that version 3.7.4 onward will set up a JMX password automatically for Guice users.\n\n\n"
}
],
"id": "CVE-2023-26269",
"lastModified": "2024-11-21T07:51:01.070",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-04-03T08:15:07.087",
"references": [
{
"source": "security@apache.org",
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-06 10:15
Modified
2024-11-21 07:29
Severity ?
Summary
Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.
Vulnerable components includes the SMTP stack and IMAP APPEND command.
This issue affects Apache James server version 3.7.2 and prior versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0C5B5CE-7844-48F0-A791-3823B74B4F1A",
"versionEndIncluding": "3.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."
},
{
"lang": "es",
"value": "El uso de archivos temporales con permisos inseguros por parte del servidor Apache James permite a un atacante con acceso local acceder a datos privados del usuario en tr\u00e1nsito. Los componentes vulnerables incluyen la pila SMTP y el comando IMAP APPEND. Este problema afecta al servidor Apache James versi\u00f3n 3.7.2 y versiones anteriores."
}
],
"id": "CVE-2022-45935",
"lastModified": "2024-11-21T07:29:59.833",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-06T10:15:10.447",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-06 10:15
Modified
2024-11-21 07:29
Severity ?
Summary
Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.
We recommend users to upgrade to MIME4j version 0.8.9 or later.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:mime4j:*:*:*",
"matchCriteriaId": "36FAB00E-6832-4BBB-BE8D-22E47940C57F",
"versionEndExcluding": "0.8.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.\n\nWe recommend users to upgrade to MIME4j version 0.8.9 or later.\n"
},
{
"lang": "es",
"value": "Los permisos laxos inadecuados en los archivos temporales utilizados por MIME4J TempFileStorageProvider pueden provocar la divulgaci\u00f3n de informaci\u00f3n a otros usuarios locales. Este problema afecta a Apache James MIME4J versi\u00f3n 0.8.8 y versiones anteriores. Recomendamos a los usuarios que actualicen a MIME4j versi\u00f3n 0.8.9 o posterior."
}
],
"id": "CVE-2022-45787",
"lastModified": "2024-11-21T07:29:42.970",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-06T10:15:10.383",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-04 09:15
Modified
2024-11-21 06:23
Severity ?
Summary
In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/04/2 | Mailing List, Third Party Advisory | |
| security@apache.org | https://www.openwall.com/lists/oss-security/2022/01/04/2 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/04/2 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2022/01/04/2 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C857D994-8952-4A29-9B5C-CC3AADBAD82F",
"versionEndExcluding": "3.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking."
},
{
"lang": "es",
"value": "En Apache James, usando Jazzer fuzzer, identificamos que un usuario de IMAP puede dise\u00f1ar comandos IMAP LIST para orquestar una denegaci\u00f3n de servicio usando una expresi\u00f3n regular vulnerable. Esto afectaba a Apache James versiones anteriores a 3.6.1. Recomendamos actualizar a Apache James versi\u00f3n 3.6.1 o superior, que refuerza el uso del motor de expresiones regulares RE2J para ejecutar regex en tiempo lineal sin retroceso"
}
],
"id": "CVE-2021-40110",
"lastModified": "2024-11-21T06:23:35.337",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-04T09:15:07.327",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/2"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2022-45935
Vulnerability from cvelistv5
Published
2023-01-06 09:33
Modified
2024-08-03 14:24
Severity ?
EPSS score ?
Summary
Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.
Vulnerable components includes the SMTP stack and IMAP APPEND command.
This issue affects Apache James server version 3.7.2 and prior versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d | vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache James server |
Version: 0 ≤ 3.7.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Benoit Tellier"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \u003cbr\u003e\u003cbr\u003eVulnerable components includes the SMTP stack and IMAP APPEND command.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache James server version 3.7.2 and prior versions."
}
],
"value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668 Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T10:18:19.197Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache James server: Temporary File Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45935",
"datePublished": "2023-01-06T09:33:30.150Z",
"dateReserved": "2022-11-27T08:53:19.892Z",
"dateUpdated": "2024-08-03T14:24:03.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-40111
Vulnerability from cvelistv5
Published
2022-01-04 08:55
Modified
2024-08-04 02:27
Severity ?
EPSS score ?
Summary
In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.openwall.com/lists/oss-security/2022/01/04/3 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/04/3 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache James |
Version: Apache James < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:27:31.847Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/3"
},
{
"name": "[oss-security] 20220104 CVE-2021-40111: Apache James IMAP parsing Denial Of Service",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache James",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.6.0",
"status": "affected",
"version": "Apache James",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The Apache James PMC would like to thanks Benoit TELLIER for the report."
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial Of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-04T09:06:16",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/3"
},
{
"name": "[oss-security] 20220104 CVE-2021-40111: Apache James IMAP parsing Denial Of Service",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/3"
}
],
"source": {
"defect": [
"JAMES-3634"
],
"discovery": "UNKNOWN"
},
"title": "Apache James IMAP parsing Denial Of Service",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-40111",
"STATE": "PUBLIC",
"TITLE": "Apache James IMAP parsing Denial Of Service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache James",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache James",
"version_value": "3.6.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "The Apache James PMC would like to thanks Benoit TELLIER for the report."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial Of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2022/01/04/3",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/3"
},
{
"name": "[oss-security] 20220104 CVE-2021-40111: Apache James IMAP parsing Denial Of Service",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/3"
}
]
},
"source": {
"defect": [
"JAMES-3634"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-40111",
"datePublished": "2022-01-04T08:55:24",
"dateReserved": "2021-08-25T00:00:00",
"dateUpdated": "2024-08-04T02:27:31.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-45787
Vulnerability from cvelistv5
Published
2023-01-06 09:31
Modified
2024-08-03 14:17
Severity ?
EPSS score ?
Summary
Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.
We recommend users to upgrade to MIME4j version 0.8.9 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj | vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache James MIME4J |
Version: 0 < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:04.186Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James MIME4J",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.8.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonathan Leitschuh"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.\u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade to MIME4j version 0.8.9 or later.\u003cbr\u003e"
}
],
"value": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.\n\nWe recommend users to upgrade to MIME4j version 0.8.9 or later.\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-16T10:27:24.515Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache James MIME4J: Temporary File Information Disclosure in MIME4J TempFileStorageProvider",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45787",
"datePublished": "2023-01-06T09:31:40.118Z",
"dateReserved": "2022-11-22T08:49:26.227Z",
"dateUpdated": "2024-08-03T14:17:04.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-22931
Vulnerability from cvelistv5
Published
2022-02-07 18:50
Modified
2024-08-03 03:28
Severity ?
EPSS score ?
Summary
Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used).
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr | x_refsource_MISC | |
| https://www.openwall.com/lists/oss-security/2022/02/07/1 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache James |
Version: Apache James 3.6.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:42.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2022/02/07/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache James",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache James 3.6.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "These issues were discovered and reported by GHSL team member Jaroslav Loba\u010devski"
}
],
"descriptions": [
{
"lang": "en",
"value": "Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used)."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-07T18:50:10",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2022/02/07/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path traversal in Apache James 3.6.1",
"workarounds": [
{
"lang": "en",
"value": "This had been fixed in Apache James 3.6.2."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-22931",
"STATE": "PUBLIC",
"TITLE": "Path traversal in Apache James 3.6.1"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache James",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache James",
"version_value": "3.6.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "These issues were discovered and reported by GHSL team member Jaroslav Loba\u010devski"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr"
},
{
"name": "https://www.openwall.com/lists/oss-security/2022/02/07/1",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2022/02/07/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "This had been fixed in Apache James 3.6.2."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-22931",
"datePublished": "2022-02-07T18:50:10",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-08-03T03:28:42.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-40110
Vulnerability from cvelistv5
Published
2022-01-04 08:55
Modified
2024-08-04 02:27
Severity ?
EPSS score ?
Summary
In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.openwall.com/lists/oss-security/2022/01/04/2 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/04/2 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache James |
Version: Apache James < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:27:31.846Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/2"
},
{
"name": "[oss-security] 20220104 CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache James",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.6.0",
"status": "affected",
"version": "Apache James",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache James PMC would like to thanks Benoit TELLIER for this report."
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regular expression Denial of service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-04T09:06:14",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/2"
},
{
"name": "[oss-security] 20220104 CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/2"
}
],
"source": {
"defect": [
"JAMES-3635"
],
"discovery": "UNKNOWN"
},
"title": "Apache James IMAP vulnerable to a ReDoS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-40110",
"STATE": "PUBLIC",
"TITLE": "Apache James IMAP vulnerable to a ReDoS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache James",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache James",
"version_value": "3.6.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache James PMC would like to thanks Benoit TELLIER for this report."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regular expression Denial of service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2022/01/04/2",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/2"
},
{
"name": "[oss-security] 20220104 CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/2"
}
]
},
"source": {
"defect": [
"JAMES-3635"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-40110",
"datePublished": "2022-01-04T08:55:22",
"dateReserved": "2021-08-25T00:00:00",
"dateUpdated": "2024-08-04T02:27:31.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-38542
Vulnerability from cvelistv5
Published
2022-01-04 08:55
Modified
2024-08-04 01:44
Severity ?
EPSS score ?
Summary
Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.openwall.com/lists/oss-security/2022/01/04/1 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/04/1 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/09/20/1 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache James |
Version: Apache James < 3.6.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:44:23.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/1"
},
{
"name": "[oss-security] 20220104 CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/1"
},
{
"name": "[oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache James",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.6.1",
"status": "affected",
"version": "Apache James",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "We thanks Benoit Tellier, Raphael Ouazana for reporting this vulnerability as well as Damian Poddebniak, Fabian Ising, Hanno B\u00f6ck, and Sebastian Schinzel M\u00fcnster University of Applied Science for their research and tools regarding STARTTLS security."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-20T11:06:20",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/1"
},
{
"name": "[oss-security] 20220104 CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/1"
},
{
"name": "[oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
}
],
"source": {
"defect": [
"JAMES-1862"
],
"discovery": "UNKNOWN"
},
"title": "Apache James vulnerable to STARTTLS command injection (IMAP and POP3)",
"workarounds": [
{
"lang": "en",
"value": "We recommend to upgrade to Apache James 3.6.1, which fixes this vulnerability.\n\nFurthermore, we recommend, if possible to dis-activate STARTTLS and rely solely on explicit TLS for mail protocols, including SMTP, IMAP and POP3."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-38542",
"STATE": "PUBLIC",
"TITLE": "Apache James vulnerable to STARTTLS command injection (IMAP and POP3)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache James",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache James",
"version_value": "3.6.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "We thanks Benoit Tellier, Raphael Ouazana for reporting this vulnerability as well as Damian Poddebniak, Fabian Ising, Hanno B\u00f6ck, and Sebastian Schinzel M\u00fcnster University of Applied Science for their research and tools regarding STARTTLS security."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2022/01/04/1",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/1"
},
{
"name": "[oss-security] 20220104 CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/1"
},
{
"name": "[oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
}
]
},
"source": {
"defect": [
"JAMES-1862"
],
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "We recommend to upgrade to Apache James 3.6.1, which fixes this vulnerability.\n\nFurthermore, we recommend, if possible to dis-activate STARTTLS and rely solely on explicit TLS for mail protocols, including SMTP, IMAP and POP3."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-38542",
"datePublished": "2022-01-04T08:55:21",
"dateReserved": "2021-08-11T00:00:00",
"dateUpdated": "2024-08-04T01:44:23.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-0228
Vulnerability from cvelistv5
Published
2019-04-17 14:07
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Apache PDFBox |
Version: Apache PDFBox 2.0.14 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:15.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[james-server-dev] 20190708 [jira] [Created] (JAMES-2819) Upgrade pdfbox following CVE-2019-0228",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd%40%3Cserver-dev.james.apache.org%3E"
},
{
"name": "[tika-commits] 20190802 svn commit: r1864251 [1/17] - in /tika/site: publish/ publish/1.10/ publish/1.11/ publish/1.12/ publish/1.13/ publish/1.14/ publish/1.15/ publish/1.16/ publish/1.17/ publish/1.18/ publish/1.19.1/ publish/1.19/ publish/1.20/ publish/1.21/ publish/1.22/ ...",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4%40%3Ccommits.tika.apache.org%3E"
},
{
"name": "[tika-commits] 20190802 svn commit: r1864252 [1/17] - in /tika/site: publish/ publish/1.10/ publish/1.11/ publish/1.12/ publish/1.13/ publish/1.14/ publish/1.15/ publish/1.16/ publish/1.17/ publish/1.18/ publish/1.19.1/ publish/1.19/ publish/1.20/ publish/1.21/ publish/1.22/ ...",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c%40%3Ccommits.tika.apache.org%3E"
},
{
"name": "FEDORA-2019-9e91afa2be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX/"
},
{
"name": "FEDORA-2019-6fa01d12b4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "[james-server-dev] 20200618 [jira] [Closed] (JAMES-2819) Upgrade pdfbox following CVE-2019-0228",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2%40%3Cserver-dev.james.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210120 Security Vulnerability with PDFbox 1.8.16",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d%40%3Cusers.pdfbox.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79%40%3Cusers.pdfbox.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache PDFBox",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache PDFBox 2.0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML External Entity (XXE) attacks",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-20T10:38:14",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[james-server-dev] 20190708 [jira] [Created] (JAMES-2819) Upgrade pdfbox following CVE-2019-0228",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd%40%3Cserver-dev.james.apache.org%3E"
},
{
"name": "[tika-commits] 20190802 svn commit: r1864251 [1/17] - in /tika/site: publish/ publish/1.10/ publish/1.11/ publish/1.12/ publish/1.13/ publish/1.14/ publish/1.15/ publish/1.16/ publish/1.17/ publish/1.18/ publish/1.19.1/ publish/1.19/ publish/1.20/ publish/1.21/ publish/1.22/ ...",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4%40%3Ccommits.tika.apache.org%3E"
},
{
"name": "[tika-commits] 20190802 svn commit: r1864252 [1/17] - in /tika/site: publish/ publish/1.10/ publish/1.11/ publish/1.12/ publish/1.13/ publish/1.14/ publish/1.15/ publish/1.16/ publish/1.17/ publish/1.18/ publish/1.19.1/ publish/1.19/ publish/1.20/ publish/1.21/ publish/1.22/ ...",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c%40%3Ccommits.tika.apache.org%3E"
},
{
"name": "FEDORA-2019-9e91afa2be",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX/"
},
{
"name": "FEDORA-2019-6fa01d12b4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "[james-server-dev] 20200618 [jira] [Closed] (JAMES-2819) Upgrade pdfbox following CVE-2019-0228",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2%40%3Cserver-dev.james.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210120 Security Vulnerability with PDFbox 1.8.16",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d%40%3Cusers.pdfbox.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79%40%3Cusers.pdfbox.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-0228",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache PDFBox",
"version": {
"version_data": [
{
"version_value": "Apache PDFBox 2.0.14"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML External Entity (XXE) attacks"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[james-server-dev] 20190708 [jira] [Created] (JAMES-2819) Upgrade pdfbox following CVE-2019-0228",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd@%3Cserver-dev.james.apache.org%3E"
},
{
"name": "[tika-commits] 20190802 svn commit: r1864251 [1/17] - in /tika/site: publish/ publish/1.10/ publish/1.11/ publish/1.12/ publish/1.13/ publish/1.14/ publish/1.15/ publish/1.16/ publish/1.17/ publish/1.18/ publish/1.19.1/ publish/1.19/ publish/1.20/ publish/1.21/ publish/1.22/ ...",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4@%3Ccommits.tika.apache.org%3E"
},
{
"name": "[tika-commits] 20190802 svn commit: r1864252 [1/17] - in /tika/site: publish/ publish/1.10/ publish/1.11/ publish/1.12/ publish/1.13/ publish/1.14/ publish/1.15/ publish/1.16/ publish/1.17/ publish/1.18/ publish/1.19.1/ publish/1.19/ publish/1.20/ publish/1.21/ publish/1.22/ ...",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c@%3Ccommits.tika.apache.org%3E"
},
{
"name": "FEDORA-2019-9e91afa2be",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX/"
},
{
"name": "FEDORA-2019-6fa01d12b4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "[james-server-dev] 20200618 [jira] [Closed] (JAMES-2819) Upgrade pdfbox following CVE-2019-0228",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2@%3Cserver-dev.james.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210120 Security Vulnerability with PDFbox 1.8.16",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d@%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3Cusers.pdfbox.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-0228",
"datePublished": "2019-04-17T14:07:34",
"dateReserved": "2018-11-14T00:00:00",
"dateUpdated": "2024-08-04T17:44:15.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-26269
Vulnerability from cvelistv5
Published
2023-04-03 07:59
Modified
2024-10-23 15:10
Severity ?
EPSS score ?
Summary
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a
malicious local user.
Administrators are advised to disable JMX, or set up a JMX password.
Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache James server |
Version: 0 ≤ 3.7.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:24.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "james_server",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "3.7.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-26269",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:09:13.520369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:10:14.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Matei \"Mal\" Badanoiu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eApache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user.\u003c/div\u003e\u003cdiv\u003eAdministrators are advised to disable JMX, or set up a JMX password.\u003c/div\u003e\u003cdiv\u003eNote that version 3.7.4 onward will set up a JMX password automatically for Guice users.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user.\n\nAdministrators are advised to disable JMX, or set up a JMX password.\n\nNote that version 3.7.4 onward will set up a JMX password automatically for Guice users.\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-03T07:59:13.228Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache James server: Privilege escalation through unauthenticated JMX",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-26269",
"datePublished": "2023-04-03T07:59:13.228Z",
"dateReserved": "2023-02-21T08:48:22.411Z",
"dateUpdated": "2024-10-23T15:10:14.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2006-2806
Vulnerability from cvelistv5
Published
2006-06-05 17:00
Modified
2024-08-07 18:06
Severity ?
EPSS score ?
Summary
The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a long argument to the MAIL command.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/435278/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/26786 | vdb-entry, x_refsource_XF | |
| http://securityreason.com/securityalert/1038 | third-party-advisory, x_refsource_SREASON | |
| http://www.securityfocus.com/bid/18138 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T18:06:26.362Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20060528 JAMES 2.2.0 \u003c-- Denial Of Service",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/435278/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt"
},
{
"name": "apache-james-smtp-dos(26786)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26786"
},
{
"name": "1038",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/1038"
},
{
"name": "18138",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/18138"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-05-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a long argument to the MAIL command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-18T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20060528 JAMES 2.2.0 \u003c-- Denial Of Service",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/435278/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt"
},
{
"name": "apache-james-smtp-dos(26786)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26786"
},
{
"name": "1038",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/1038"
},
{
"name": "18138",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/18138"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-2806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a long argument to the MAIL command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20060528 JAMES 2.2.0 \u003c-- Denial Of Service",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/435278/100/0/threaded"
},
{
"name": "http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt",
"refsource": "MISC",
"url": "http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt"
},
{
"name": "apache-james-smtp-dos(26786)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26786"
},
{
"name": "1038",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/1038"
},
{
"name": "18138",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/18138"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-2806",
"datePublished": "2006-06-05T17:00:00",
"dateReserved": "2006-06-05T00:00:00",
"dateUpdated": "2024-08-07T18:06:26.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-40525
Vulnerability from cvelistv5
Published
2022-01-04 08:55
Modified
2024-08-04 02:44
Severity ?
EPSS score ?
Summary
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.openwall.com/lists/oss-security/2022/01/04/4 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/04/4 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/02/07/1 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache James |
Version: Apache James < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:44:10.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/4"
},
{
"name": "[oss-security] 20220104 CVE-2021-40525: Apache James: Sieve file storage vulnerable to path traversal attacks",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/4"
},
{
"name": "[oss-security] 20220207 CVE-2022-22931: Path traversal in Apache James",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/07/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache James",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.6.0",
"status": "affected",
"version": "Apache James",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The Apache James PMC would like to thanks Benoit TELLIER for the report."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-07T09:06:13",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/4"
},
{
"name": "[oss-security] 20220104 CVE-2021-40525: Apache James: Sieve file storage vulnerable to path traversal attacks",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/4"
},
{
"name": "[oss-security] 20220207 CVE-2022-22931: Path traversal in Apache James",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/07/1"
}
],
"source": {
"defect": [
"JAMES-3646"
],
"discovery": "UNKNOWN"
},
"title": "Sieve file storage vulnerable to path traversal attacks",
"workarounds": [
{
"lang": "en",
"value": "This could also be mitigated by ensuring manageSieve is disabled, which is the case by default.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-40525",
"STATE": "PUBLIC",
"TITLE": "Sieve file storage vulnerable to path traversal attacks"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache James",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache James",
"version_value": "3.6.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "The Apache James PMC would like to thanks Benoit TELLIER for the report."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2022/01/04/4",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2022/01/04/4"
},
{
"name": "[oss-security] 20220104 CVE-2021-40525: Apache James: Sieve file storage vulnerable to path traversal attacks",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/4"
},
{
"name": "[oss-security] 20220207 CVE-2022-22931: Path traversal in Apache James",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/07/1"
}
]
},
"source": {
"defect": [
"JAMES-3646"
],
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "This could also be mitigated by ensuring manageSieve is disabled, which is the case by default.\n"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-40525",
"datePublished": "2022-01-04T08:55:25",
"dateReserved": "2021-09-06T00:00:00",
"dateUpdated": "2024-08-04T02:44:10.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-28220
Vulnerability from cvelistv5
Published
2022-09-08 07:40
Modified
2024-08-03 05:48
Severity ?
EPSS score ?
Summary
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.
References
| ▼ | URL | Tags |
|---|---|---|
| https://james.apache.org/james/update/2022/08/26/james-3.7.1.html | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/09/20/1 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache James |
Version: Apache James < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:48:37.476Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
},
{
"name": "[oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache James",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.6.2",
"status": "affected",
"version": "Apache James",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache James PMC would like to thanks Benoit TELLIER for this report, and Fabian Ising for his support."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests."
}
],
"metrics": [
{
"other": {
"content": {
"other": "This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information like user credentials. Exploit in IMAP requires a local account but SMTP exploit does not. Data integrity could be compromised in POP3."
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-20T11:06:21",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
},
{
"name": "[oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
}
],
"source": {
"defect": [
"JAMES-1862"
],
"discovery": "UNKNOWN"
},
"title": "STARTTLS command injection in Apache JAMES",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache James 3.7.1 or Apache James 3.6.3."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28220",
"STATE": "PUBLIC",
"TITLE": "STARTTLS command injection in Apache JAMES"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache James",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache James",
"version_value": "3.6.2"
},
{
"version_affected": "\u003c=",
"version_name": "Apache James",
"version_value": "3.7.0 +1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache James PMC would like to thanks Benoit TELLIER for this report, and Fabian Ising for his support."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information like user credentials. Exploit in IMAP requires a local account but SMTP exploit does not. Data integrity could be compromised in POP3."
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html",
"refsource": "MISC",
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
},
{
"name": "[oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
}
]
},
"source": {
"defect": [
"JAMES-1862"
],
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache James 3.7.1 or Apache James 3.6.3."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28220",
"datePublished": "2022-09-08T07:40:09",
"dateReserved": "2022-03-30T00:00:00",
"dateUpdated": "2024-08-03T05:48:37.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2004-2650
Vulnerability from cvelistv5
Published
2005-12-09 15:00
Modified
2024-09-17 03:03
Severity ?
EPSS score ?
Summary
Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak.
References
| ▼ | URL | Tags |
|---|---|---|
| http://issues.apache.org/jira/browse/JAMES-268 | x_refsource_MISC | |
| http://james.apache.org/changelog.html | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/15765 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T01:36:25.125Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://issues.apache.org/jira/browse/JAMES-268"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://james.apache.org/changelog.html"
},
{
"name": "15765",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15765"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2005-12-09T15:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://issues.apache.org/jira/browse/JAMES-268"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://james.apache.org/changelog.html"
},
{
"name": "15765",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15765"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-2650",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://issues.apache.org/jira/browse/JAMES-268",
"refsource": "MISC",
"url": "http://issues.apache.org/jira/browse/JAMES-268"
},
{
"name": "http://james.apache.org/changelog.html",
"refsource": "CONFIRM",
"url": "http://james.apache.org/changelog.html"
},
{
"name": "15765",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15765"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-2650",
"datePublished": "2005-12-09T15:00:00Z",
"dateReserved": "2005-12-09T00:00:00Z",
"dateUpdated": "2024-09-17T03:03:36.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
var-200606-0421
Vulnerability from variot
The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a long argument to the MAIL command. Apache James is prone to a remote denial-of-service vulnerability. This issue is due to the application's failure to efficiently handle malformed SMTP commands. This issue allows remote attackers to consume excessive CPU resources of affected computers, potentially denying service to legitimate users. Apache James version 2.2.0 is vulnerable to this issue; other versions may also be affected
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200606-0421",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.2.0"
},
{
"model": "software foundation james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2"
}
],
"sources": [
{
"db": "BID",
"id": "18138"
},
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:2.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2006-2806"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ahmad Muammar W.K y3dips@echo.or.id",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
],
"trust": 0.6
},
"cve": "CVE-2006-2806",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2006-2806",
"impactScore": 6.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2006-2806",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200606-102",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2006-2806",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a long argument to the MAIL command. Apache James is prone to a remote denial-of-service vulnerability. This issue is due to the application\u0027s failure to efficiently handle malformed SMTP commands. \nThis issue allows remote attackers to consume excessive CPU resources of affected computers, potentially denying service to legitimate users. \nApache James version 2.2.0 is vulnerable to this issue; other versions may also be affected",
"sources": [
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "BID",
"id": "18138"
},
{
"db": "VULMON",
"id": "CVE-2006-2806"
}
],
"trust": 1.26
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "18138",
"trust": 2.0
},
{
"db": "NVD",
"id": "CVE-2006-2806",
"trust": 2.0
},
{
"db": "SREASON",
"id": "1038",
"trust": 1.7
},
{
"db": "BUGTRAQ",
"id": "20060528 JAMES 2.2.0",
"trust": 0.6
},
{
"db": "XF",
"id": "26786",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2006-2806",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"db": "BID",
"id": "18138"
},
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"id": "VAR-200606-0421",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T13:49:51.773000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2006-2806"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "http://www.securityfocus.com/bid/18138"
},
{
"trust": 1.7,
"url": "http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt"
},
{
"trust": 1.7,
"url": "http://securityreason.com/securityalert/1038"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/435278/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26786"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/435278/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/26786"
},
{
"trust": 0.3,
"url": "http://james.apache.org/index.html"
},
{
"trust": 0.3,
"url": "/archive/1/435278"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"db": "BID",
"id": "18138"
},
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"db": "BID",
"id": "18138"
},
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2006-06-05T00:00:00",
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"date": "2006-05-29T00:00:00",
"db": "BID",
"id": "18138"
},
{
"date": "2006-06-05T17:02:00",
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"date": "2006-05-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-18T00:00:00",
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"date": "2016-02-02T20:01:00",
"db": "BID",
"id": "18138"
},
{
"date": "2018-10-18T16:43:02.870000",
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"date": "2006-06-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James SMTP Remotely Extra long data Denial of service vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "18138"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
],
"trust": 0.9
}
}
var-202301-0598
Vulnerability from variot
Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.
We recommend users to upgrade to MIME4j version 0.8.9 or later. Apache James MIME4J There is a vulnerability in plaintext storage of important information.Information may be obtained. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 7 security update Advisory ID: RHSA-2023:1512-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2023:1512 Issue date: 2023-03-29 CVE Names: CVE-2022-1471 CVE-2022-4492 CVE-2022-38752 CVE-2022-41853 CVE-2022-41854 CVE-2022-41881 CVE-2022-45787 CVE-2023-0482 CVE-2023-1108 =====================================================================
- Summary:
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64
- Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
-
SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
-
hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)
-
Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
-
undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
-
snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
-
dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
-
codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
-
apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider (CVE-2022-45787)
-
RESTEasy: creation of insecure temp files (CVE-2023-0482)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode 2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow 2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client 2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files 2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-23572 - (7.4.z) Upgrade jbossws-spi from 3.3.1.Final-redhat-00001 to 3.4.0.Final-redhat-00001
JBEAP-24120 - Tracker bug for the EAP 7.4.10 release for RHEL-7
JBEAP-24172 - (7.4.z) Upgrade jbossws-cxf from 5.4.4.Final-redhat-00001 to 5.4.8.Final-redhat-00001
JBEAP-24182 - (7.4.z) Upgrade wildfly-http-ejb-client from 1.1.13.SP1-redhat-00001 to 1.1.16.Final-redhat-00002
JBEAP-24220 - GSS Upgrade JBoss Metadata from 13.0.0.Final-redhat-00001 to 13.4.0.Final-redhat-00001
JBEAP-24254 - JDK17, CLI script to update security doesn't apply to microprofile
JBEAP-24292 - (7.4.z) Upgrade Artemis Native from 1.0.2.redhat-00001 to 1.0.2.redhat-00004
JBEAP-24339 - (7.4.z) Upgrade Undertow from 2.2.22.SP3-redhat-00001 to 2.2.23.SP1
JBEAP-24341 - (7.4.z) Upgrade Ironjacamar from 1.5.10.Final-redhat-00001 to 1.5.11.Final-redhat-00001
JBEAP-24363 - (7.4.z) Upgrade org.jboss.spec.javax.el:jboss-el-api_3.0_spec from 2.0.0.Final-redhat-00001 to 2.0.1.Final
JBEAP-24372 - (7.4.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012
JBEAP-24380 - (7.4.z) Upgrade jastow from 2.0.11.Final-redhat-00001 to 2.0.14.Final-redhat-00001
JBEAP-24383 - GSS Upgrade artemis-wildfly-integration from 1.0.4 to 1.0.7
JBEAP-24384 - (7.4.z) Upgrade netty from 4.1.77.Final-redhat-00001 to 4.1.86.Final
JBEAP-24385 - (7.4.z) Upgrade WildFly Core from 15.0.22.Final-redhat-00001 to 15.0.23.Final-redhat-00001
JBEAP-24395 - GSS Upgrade jboss-ejb-client from 4.0.49.Final-redhat-00001 to 4.0.50.Final
JBEAP-24507 - (7.4.z) RESTEASY-3285 Upgrade resteasy 3.15.x to mime4j 0.8.9
JBEAP-24535 - GSS UNDERTOW-2239 - Infinite loop in SslConduit during close on JDK 11
JBEAP-24574 - PST Upgrade snakeyaml from 1.33.0.redhat-00001 to 1.33.SP1.redhat-00001
JBEAP-24588 - GSS RHEL9 rpms: yum groupinstall jboss-eap7 installing JDK11 instead of JDK8 with EAP 7.4 Update 9
JBEAP-24605 - PST Upgrade undertow from 2.2.23.SP1-redhat-00001 to 2.2.23.SP2
JBEAP-24618 - (7.4.z) Upgrade WildFly Core from 15.0.23.Final-redhat-00001 to 15.0.25.Final-redhat-00001
- Package List:
Red Hat JBoss EAP 7.4 for RHEL 7 Server:
Source: eap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.src.rpm eap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.src.rpm eap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.src.rpm eap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.src.rpm eap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.src.rpm eap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.src.rpm eap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm eap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.src.rpm eap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.src.rpm eap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.src.rpm eap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.src.rpm eap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.src.rpm eap7-wildfly-http-client-1.1.16-1.Final_redhat_00002.1.el7eap.src.rpm
noarch: eap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.noarch.rpm eap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.noarch.rpm eap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-cachestore-jdbc-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-cachestore-remote-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-client-hotrod-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-component-annotations-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-core-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-spi-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-deployers-common-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-jdbc-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-validator-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-appclient-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-common-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-ear-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-ejb-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-web-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm eap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-all-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-buffer-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-haproxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http2-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-memcache-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-mqtt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-redis-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-smtp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-socks-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-stomp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-xml-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-proxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-classes-macos-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-kqueue-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-native-unix-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-rxtx-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-sctp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-udt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-picketlink-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-common-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-config-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-idm-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-idm-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-idm-simple-schema-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-atom-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-cdi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-client-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-crypto-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jackson-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jackson2-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jaxb-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jaxrs-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jettison-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jose-jwt-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jsapi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-json-binding-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-json-p-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-multipart-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-rxjava2-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-spring-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-validator-provider-11-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-yaml-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.noarch.rpm eap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-client-common-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-ejb-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-naming-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-transaction-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-modules-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm
x86_64: eap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm eap7-artemis-native-debuginfo-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm eap7-artemis-native-wildfly-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm eap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm eap7-netty-transport-native-epoll-debuginfo-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-4492 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-41853 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-41881 https://access.redhat.com/security/cve/CVE-2022-45787 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-1108 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBZCT+zNzjgjWX9erEAQjgHg/+JaRL/MORx2YrlQ2vSQf3wEHiXL7cSG5b 81HEug+HhLXEzqjRLmFtsqM+eBYFMawokVsOX0PBat7yyJUcwttn7NdO8MlEvrKA Juh3RHqCSJPE3X5N7OnKTkdJUs7Zxfvmzo6mIly321gjUl51bxl/yVPzXuBiI89S rPgI1n6wdp4Tb/HDxZ5h2rAX7L8xckVzHnr3ld8MG3Mi2CqrvSnLkYy1YsAxiSrF Q8tT1dCnCAjUEA2wULxq0a+PrH5cCpkBJ8d6w5Y9lxGKuF1dYzUQAIaDuCvTw4w4 7i5g5Gt3X+/uks/8y00NWxDOTHWnzvlHTT7NWZAtSD1PwknaGQJ4dGPJMUo+Y2Tt cVuxyhcfQMixEc6+P6EwJrdWuaa6MdU8rceWKFc/a8X//BefU0chSAGi9CfXsC1y WBR75mfFZleVPRoJtQ0ZLz+Se0rsKwxV9F/FbHlcAhCvaZzbDi2PAHH3YhPqMcmu JdgRJlT/xBDeZMqb+4U9aiwKox53tuXW7ACUZeN8dlP/pCLiiFFaW0jaObR5zfVy R51T2b2Lyt7HHkxp/GGXNOfZHjkgYDHGssduzDADhMthLPLJrJb9jQdWRrkjFagt 4agw2EM+/mtBpB4Wcsp1CXb61UfU4jv0O5BPIvHx81l+vqZRKVuICmCb4FI/wnEi fsWX8UaljMw= =qlyL -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . You can also manage user accounts for web applications, mobile applications, and RESTful web services. Description:
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Bugs fixed (https://bugzilla.redhat.com/):
2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider 2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files 2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks 2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow 2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray 2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol
- JIRA issues fixed (https://issues.redhat.com/):
QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4
QUARKUS-2787 - Rest Data Panache: Correct Open API integration
QUARKUS-2846 - Ensure that new line chars don't break Panache projection
QUARKUS-2978 - ExceptionMapper--userns=keep-id to podman only when in rootless mode
QUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request
QUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies
QUARKUS-3184 - Use SchemaType.ARRAY instead of "ARRAY" for native support
QUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream
QUARKUS-3187 - Allow context propagation for OpenTelemetry
QUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest
QUARKUS-3191 - Drop ':z' bind option when using MacOS and Podman
QUARKUS-3194 - Exclude Netty's reflection configuration files
QUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268)
QUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202301-0598",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "0.8.9"
},
{
"model": "hitachi ops center common services",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "james",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:mime4j:*:*:*",
"cpe_name": [],
"versionEndExcluding": "0.8.9",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "171600"
},
{
"db": "PACKETSTORM",
"id": "171593"
},
{
"db": "PACKETSTORM",
"id": "171664"
},
{
"db": "PACKETSTORM",
"id": "172284"
},
{
"db": "PACKETSTORM",
"id": "172281"
},
{
"db": "PACKETSTORM",
"id": "172265"
},
{
"db": "PACKETSTORM",
"id": "173213"
}
],
"trust": 0.7
},
"cve": "CVE-2022-45787",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-45787",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-45787",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202301-447",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. \n\nWe recommend users to upgrade to MIME4j version 0.8.9 or later. Apache James MIME4J There is a vulnerability in plaintext storage of important information.Information may be obtained. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 7 security update\nAdvisory ID: RHSA-2023:1512-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2023:1512\nIssue date: 2023-03-29\nCVE Names: CVE-2022-1471 CVE-2022-4492 CVE-2022-38752 \n CVE-2022-41853 CVE-2022-41854 CVE-2022-41881 \n CVE-2022-45787 CVE-2023-0482 CVE-2023-1108 \n=====================================================================\n\n1. Summary:\n\nA security update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.4 for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64\n\n3. Description:\n\nRed Hat JBoss Enterprise Application Platform 7 is a platform for Java\napplications based on the WildFly application runtime. \n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves\nas a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9\nand includes bug fixes and enhancements. See the Red Hat JBoss Enterprise\nApplication Platform 7.4.10 Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release. \n\nSecurity Fix(es):\n\n* SnakeYaml: Constructor Deserialization Remote Code Execution\n(CVE-2022-1471)\n\n* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)\n\n* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)\n\n* undertow: Server identity in https connection is not checked by the\nundertow client (CVE-2022-4492)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode\n(CVE-2022-38752)\n\n* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS\n(CVE-2022-41881)\n\n* apache-james-mime4j: Temporary File Information Disclosure in MIME4J\nTempFileStorageProvider (CVE-2022-45787)\n\n* RESTEasy: creation of insecure temp files (CVE-2023-0482)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode\n2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack\n2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution\n2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow\n2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client\n2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS\n2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider\n2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files\n2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-23572 - (7.4.z) Upgrade jbossws-spi from 3.3.1.Final-redhat-00001 to 3.4.0.Final-redhat-00001\nJBEAP-24120 - Tracker bug for the EAP 7.4.10 release for RHEL-7\nJBEAP-24172 - (7.4.z) Upgrade jbossws-cxf from 5.4.4.Final-redhat-00001 to 5.4.8.Final-redhat-00001\nJBEAP-24182 - (7.4.z) Upgrade wildfly-http-ejb-client from 1.1.13.SP1-redhat-00001 to 1.1.16.Final-redhat-00002\nJBEAP-24220 - [GSS](7.4.z) Upgrade JBoss Metadata from 13.0.0.Final-redhat-00001 to 13.4.0.Final-redhat-00001\nJBEAP-24254 - JDK17, CLI script to update security doesn\u0027t apply to microprofile\nJBEAP-24292 - (7.4.z) Upgrade Artemis Native from 1.0.2.redhat-00001 to 1.0.2.redhat-00004\nJBEAP-24339 - (7.4.z) Upgrade Undertow from 2.2.22.SP3-redhat-00001 to 2.2.23.SP1\nJBEAP-24341 - (7.4.z) Upgrade Ironjacamar from 1.5.10.Final-redhat-00001 to 1.5.11.Final-redhat-00001\nJBEAP-24363 - (7.4.z) Upgrade org.jboss.spec.javax.el:jboss-el-api_3.0_spec from 2.0.0.Final-redhat-00001 to 2.0.1.Final\nJBEAP-24372 - (7.4.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012\nJBEAP-24380 - (7.4.z) Upgrade jastow from 2.0.11.Final-redhat-00001 to 2.0.14.Final-redhat-00001\nJBEAP-24383 - [GSS](7.4.z) Upgrade artemis-wildfly-integration from 1.0.4 to 1.0.7\nJBEAP-24384 - (7.4.z) Upgrade netty from 4.1.77.Final-redhat-00001 to 4.1.86.Final\nJBEAP-24385 - (7.4.z) Upgrade WildFly Core from 15.0.22.Final-redhat-00001 to 15.0.23.Final-redhat-00001\nJBEAP-24395 - [GSS](7.4.z) Upgrade jboss-ejb-client from 4.0.49.Final-redhat-00001 to 4.0.50.Final\nJBEAP-24507 - (7.4.z) RESTEASY-3285 Upgrade resteasy 3.15.x to mime4j 0.8.9\nJBEAP-24535 - [GSS](7.4.z) UNDERTOW-2239 - Infinite loop in `SslConduit` during close on JDK 11\nJBEAP-24574 - [PST](7.4.z) Upgrade snakeyaml from 1.33.0.redhat-00001 to 1.33.SP1.redhat-00001\nJBEAP-24588 - [GSS](7.4.z) RHEL9 rpms: yum groupinstall jboss-eap7 installing JDK11 instead of JDK8 with EAP 7.4 Update 9\nJBEAP-24605 - [PST](7.4.z) Upgrade undertow from 2.2.23.SP1-redhat-00001 to 2.2.23.SP2\nJBEAP-24618 - (7.4.z) Upgrade WildFly Core from 15.0.23.Final-redhat-00001 to 15.0.25.Final-redhat-00001\n\n7. Package List:\n\nRed Hat JBoss EAP 7.4 for RHEL 7 Server:\n\nSource:\neap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.src.rpm\neap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.src.rpm\neap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.src.rpm\neap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.src.rpm\neap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.src.rpm\neap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.src.rpm\neap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.src.rpm\neap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.src.rpm\neap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.src.rpm\neap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.src.rpm\neap7-wildfly-http-client-1.1.16-1.Final_redhat_00002.1.el7eap.src.rpm\n\nnoarch:\neap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.noarch.rpm\neap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.noarch.rpm\neap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-cachestore-jdbc-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-cachestore-remote-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-client-hotrod-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-component-annotations-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-core-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-hibernate-cache-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-hibernate-cache-spi-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-hibernate-cache-v53-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-common-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-common-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-common-spi-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-core-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-core-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-deployers-common-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-jdbc-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-validator-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-appclient-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-common-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-ear-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-ejb-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-web-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm\neap7-jboss-server-migration-cli-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm\neap7-jboss-server-migration-core-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm\neap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-all-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-buffer-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-haproxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-http-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-http2-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-memcache-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-mqtt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-redis-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-smtp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-socks-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-stomp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-xml-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-handler-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-handler-proxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-dns-classes-macos-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-classes-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-classes-kqueue-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-native-unix-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-rxtx-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-sctp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-udt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-picketlink-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-common-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-config-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-idm-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-idm-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-idm-simple-schema-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-atom-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-cdi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-client-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-crypto-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jackson-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jackson2-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jaxb-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jaxrs-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jettison-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jose-jwt-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jsapi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-json-binding-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-json-p-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-multipart-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-rxjava2-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-spring-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-validator-provider-11-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-yaml-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.noarch.rpm\neap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-http-client-common-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-http-ejb-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-http-naming-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-http-transaction-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-java-jdk11-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-java-jdk8-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-javadocs-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-modules-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm\n\nx86_64:\neap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm\neap7-artemis-native-debuginfo-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm\neap7-artemis-native-wildfly-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm\neap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm\neap7-netty-transport-native-epoll-debuginfo-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2022-1471\nhttps://access.redhat.com/security/cve/CVE-2022-4492\nhttps://access.redhat.com/security/cve/CVE-2022-38752\nhttps://access.redhat.com/security/cve/CVE-2022-41853\nhttps://access.redhat.com/security/cve/CVE-2022-41854\nhttps://access.redhat.com/security/cve/CVE-2022-41881\nhttps://access.redhat.com/security/cve/CVE-2022-45787\nhttps://access.redhat.com/security/cve/CVE-2023-0482\nhttps://access.redhat.com/security/cve/CVE-2023-1108\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/\n\n9. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBZCT+zNzjgjWX9erEAQjgHg/+JaRL/MORx2YrlQ2vSQf3wEHiXL7cSG5b\n81HEug+HhLXEzqjRLmFtsqM+eBYFMawokVsOX0PBat7yyJUcwttn7NdO8MlEvrKA\nJuh3RHqCSJPE3X5N7OnKTkdJUs7Zxfvmzo6mIly321gjUl51bxl/yVPzXuBiI89S\nrPgI1n6wdp4Tb/HDxZ5h2rAX7L8xckVzHnr3ld8MG3Mi2CqrvSnLkYy1YsAxiSrF\nQ8tT1dCnCAjUEA2wULxq0a+PrH5cCpkBJ8d6w5Y9lxGKuF1dYzUQAIaDuCvTw4w4\n7i5g5Gt3X+/uks/8y00NWxDOTHWnzvlHTT7NWZAtSD1PwknaGQJ4dGPJMUo+Y2Tt\ncVuxyhcfQMixEc6+P6EwJrdWuaa6MdU8rceWKFc/a8X//BefU0chSAGi9CfXsC1y\nWBR75mfFZleVPRoJtQ0ZLz+Se0rsKwxV9F/FbHlcAhCvaZzbDi2PAHH3YhPqMcmu\nJdgRJlT/xBDeZMqb+4U9aiwKox53tuXW7ACUZeN8dlP/pCLiiFFaW0jaObR5zfVy\nR51T2b2Lyt7HHkxp/GGXNOfZHjkgYDHGssduzDADhMthLPLJrJb9jQdWRrkjFagt\n4agw2EM+/mtBpB4Wcsp1CXb61UfU4jv0O5BPIvHx81l+vqZRKVuICmCb4FI/wnEi\nfsWX8UaljMw=\n=qlyL\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. You can also manage\nuser accounts for web applications, mobile applications, and RESTful web\nservices. Description:\n\nRed Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak\nproject, that provides authentication and standards-based single sign-on\ncapabilities for web and mobile applications. Bugs fixed (https://bugzilla.redhat.com/):\n\n2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider\n2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files\n2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files\n2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks\n2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow\n2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption\n2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray\n2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol\n\n5. JIRA issues fixed (https://issues.redhat.com/):\n\nQUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4\nQUARKUS-2787 - Rest Data Panache: Correct Open API integration\nQUARKUS-2846 - Ensure that new line chars don\u0027t break Panache projection\nQUARKUS-2978 - ExceptionMapper\u003cWebApplicationException\u003e is not working in DEV mode\nQUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected\nQUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled\nQUARKUS-3161 - Fix security-csrf-prevention.adoc\nQUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage\nQUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases\nQUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13\nQUARKUS-3169 - New home for Narayana LRA coordinator Docker images\nQUARKUS-3170 - Fix truststore REST Client config when password is not set\nQUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime\nQUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headers\nQUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest\nQUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them\nQUARKUS-3177 - Fix copy paste error in qute docs\nQUARKUS-3178 - Pass `--userns=keep-id` to podman only when in rootless mode\nQUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request\nQUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies\nQUARKUS-3184 - Use SchemaType.ARRAY instead of \"ARRAY\" for native support\nQUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream\nQUARKUS-3187 - Allow context propagation for OpenTelemetry\nQUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest\nQUARKUS-3191 - Drop \u0027:z\u0027 bind option when using MacOS and Podman\nQUARKUS-3194 - Exclude Netty\u0027s reflection configuration files\nQUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268)\nQUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-45787"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"db": "PACKETSTORM",
"id": "171600"
},
{
"db": "PACKETSTORM",
"id": "171593"
},
{
"db": "PACKETSTORM",
"id": "171664"
},
{
"db": "PACKETSTORM",
"id": "172284"
},
{
"db": "PACKETSTORM",
"id": "172281"
},
{
"db": "PACKETSTORM",
"id": "172265"
},
{
"db": "PACKETSTORM",
"id": "173213"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-45787",
"trust": 4.0
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2023.3663",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.1879",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.1925",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.3726",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-45787",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171600",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171593",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171664",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172284",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172281",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172265",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "173213",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "PACKETSTORM",
"id": "171600"
},
{
"db": "PACKETSTORM",
"id": "171593"
},
{
"db": "PACKETSTORM",
"id": "171664"
},
{
"db": "PACKETSTORM",
"id": "172284"
},
{
"db": "PACKETSTORM",
"id": "172281"
},
{
"db": "PACKETSTORM",
"id": "172265"
},
{
"db": "PACKETSTORM",
"id": "173213"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"id": "VAR-202301-0598",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2024-07-23T19:32:41.408000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "hitachi-sec-2023-143",
"trust": 0.8,
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
},
{
"title": "Apache James Repair measures for information disclosure vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=221320"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-45787 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-312",
"trust": 1.0
},
{
"problemtype": "Plaintext storage of important information (CWE-312) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-45787"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2023-0482"
},
{
"trust": 0.7,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-0482"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2022-45787"
},
{
"trust": 0.7,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2022-4492"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2022-41854"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-4492"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2022-38752"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41881"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-38752"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41854"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2022-41881"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.1925"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.1879"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3726"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-45787/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3663"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.3,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2023-1108"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1108"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1471"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41853"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-1471"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-41853"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-0341"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-0341"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-45787"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:1513"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:1512"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches\u0026product=appplatform\u0026version=7.4"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:1516"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21967"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21938"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-0361"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21939"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2710"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0361"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21930"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21937"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21968"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21967"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21938"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21930"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21954"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21939"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21954"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21937"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.rhsso\u0026downloadtype=securitypatches\u0026version=7.6"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2713"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2705"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-26053"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1436"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-28867"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/4966181"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-26053"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-1584"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0481"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-0481"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1584"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2974"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-28867"
},
{
"trust": 0.1,
"url": "https://issues.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:3809"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-2974"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-1436"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "PACKETSTORM",
"id": "171600"
},
{
"db": "PACKETSTORM",
"id": "171593"
},
{
"db": "PACKETSTORM",
"id": "171664"
},
{
"db": "PACKETSTORM",
"id": "172284"
},
{
"db": "PACKETSTORM",
"id": "172281"
},
{
"db": "PACKETSTORM",
"id": "172265"
},
{
"db": "PACKETSTORM",
"id": "173213"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "PACKETSTORM",
"id": "171600"
},
{
"db": "PACKETSTORM",
"id": "171593"
},
{
"db": "PACKETSTORM",
"id": "171664"
},
{
"db": "PACKETSTORM",
"id": "172284"
},
{
"db": "PACKETSTORM",
"id": "172281"
},
{
"db": "PACKETSTORM",
"id": "172265"
},
{
"db": "PACKETSTORM",
"id": "173213"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-06T00:00:00",
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"date": "2023-05-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"date": "2023-03-30T17:37:20",
"db": "PACKETSTORM",
"id": "171600"
},
{
"date": "2023-03-30T17:23:56",
"db": "PACKETSTORM",
"id": "171593"
},
{
"date": "2023-04-03T16:59:40",
"db": "PACKETSTORM",
"id": "171664"
},
{
"date": "2023-05-11T15:12:56",
"db": "PACKETSTORM",
"id": "172284"
},
{
"date": "2023-05-11T15:05:35",
"db": "PACKETSTORM",
"id": "172281"
},
{
"date": "2023-05-10T15:30:39",
"db": "PACKETSTORM",
"id": "172265"
},
{
"date": "2023-06-30T14:34:04",
"db": "PACKETSTORM",
"id": "173213"
},
{
"date": "2023-01-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"date": "2023-01-06T10:15:10.383000",
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-06T00:00:00",
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"date": "2023-10-04T05:41:00",
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"date": "2023-06-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"date": "2023-11-07T03:54:49.427000",
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0MIME4J\u00a0 Vulnerability in plaintext storage of important information in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
}
],
"trust": 0.6
}
}
var-202301-0613
Vulnerability from variot
Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.
Vulnerable components includes the SMTP stack and IMAP APPEND command.
This issue affects Apache James server version 3.7.2 and prior versions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202301-0613",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "3.7.2"
},
{
"model": "james",
"scope": "lte",
"trust": 0.8,
"vendor": "apache",
"version": "3.7.2 and earlier"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.7.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-45935"
}
]
},
"cve": "CVE-2022-45935",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-45935",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-45935",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202301-445",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command. \n\nThis issue affects Apache James server version 3.7.2 and prior versions",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "VULMON",
"id": "CVE-2022-45935"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-45935",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-45935",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"id": "VAR-202301-0613",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T12:25:37.219000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Temporary\u00a0File\u00a0Information\u00a0Disclosure",
"trust": 0.8,
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
},
{
"title": "Apache James Repair measures for information disclosure vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=220229"
},
{
"title": "Red Hat: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=cve-2022-45935"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-45935 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-668",
"trust": 1.0
},
{
"problemtype": "Sending important information in clear text (CWE-319) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-45935"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2022-45935"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-45935/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-45935"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-06T00:00:00",
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"date": "2023-05-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"date": "2023-01-06T10:15:10.447000",
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"date": "2023-01-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-06T00:00:00",
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"date": "2023-05-11T02:36:00",
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"date": "2023-07-12T11:15:09.623000",
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"date": "2023-07-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0 Vulnerability related to transmission of important information in plaintext in server",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
],
"trust": 0.6
}
}
var-202201-0206
Vulnerability from variot
In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking. Apache James Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0206",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "lt",
"trust": 1.6,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": "3.6.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.6.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40110"
}
]
},
"cve": "CVE-2021-40110",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-40110",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.0,
"id": "CNVD-2022-02755",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-40110",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-40110",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2022-02755",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-084",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking. Apache James Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "VULMON",
"id": "CVE-2021-40110"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-40110",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/04/2",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-02755",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010404",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-40110",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "VULMON",
"id": "CVE-2021-40110"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"id": "VAR-202201-0206",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
}
],
"trust": 0.8536231999999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
}
]
},
"last_update_date": "2023-12-18T12:55:16.195000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://www.apache.org/"
},
{
"title": "Patch for Apache James Denial of Service Vulnerability (CNVD-2022-02755)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/313136"
},
{
"title": "Apache James Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=176870"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "others (CWE-Other) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.8,
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/2"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-40110"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010404"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "VULMON",
"id": "CVE-2021-40110"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "VULMON",
"id": "CVE-2021-40110"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40110"
},
{
"date": "2023-01-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"date": "2022-01-04T09:15:07.327000",
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"date": "2022-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40110"
},
{
"date": "2023-01-24T07:25:00",
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"date": "2022-01-12T19:54:54.953000",
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"date": "2022-01-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0 Vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
],
"trust": 0.6
}
}
var-200412-0673
Vulnerability from variot
Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak. James is prone to a memory leak denial of service vulnerability. This issue occurs during an error condition in the spooler. An attacker can exploit this issue by creating multiple error conditions and eventually consume system resources. Successful exploitation will ultimately crash the application denying service to legitimate users
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200412-0673",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.2.0"
},
{
"model": "james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2"
}
],
"sources": [
{
"db": "BID",
"id": "15765"
},
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:2.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-2650"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Noel J. Bergman",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
],
"trust": 0.6
},
"cve": "CVE-2004-2650",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 6.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2004-2650",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200412-324",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak. James is prone to a memory leak denial of service vulnerability. \nThis issue occurs during an error condition in the spooler. \nAn attacker can exploit this issue by creating multiple error conditions and eventually consume system resources. \nSuccessful exploitation will ultimately crash the application denying service to legitimate users",
"sources": [
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "BID",
"id": "15765"
}
],
"trust": 1.17
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "15765",
"trust": 1.9
},
{
"db": "NVD",
"id": "CVE-2004-2650",
"trust": 1.6
},
{
"db": "NSFOCUS",
"id": "8315",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324",
"trust": 0.6
}
],
"sources": [
{
"db": "BID",
"id": "15765"
},
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"id": "VAR-200412-0673",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T13:58:38.039000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-2650"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "http://james.apache.org/changelog.html"
},
{
"trust": 1.9,
"url": "http://issues.apache.org/jira/browse/james-268"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/15765"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/8315"
},
{
"trust": 0.3,
"url": "http://james.apache.org/index.html"
}
],
"sources": [
{
"db": "BID",
"id": "15765"
},
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "15765"
},
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2005-12-07T00:00:00",
"db": "BID",
"id": "15765"
},
{
"date": "2004-12-31T05:00:00",
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"date": "2004-12-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2005-12-07T00:00:00",
"db": "BID",
"id": "15765"
},
{
"date": "2008-09-05T20:44:44.107000",
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"date": "2006-01-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James Spooler Memory Leak Denial Of Service Vulnerability",
"sources": [
{
"db": "BID",
"id": "15765"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "15765"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
],
"trust": 0.9
}
}
var-202201-0221
Vulnerability from variot
Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information. Apache James Exists in the use of cryptographic algorithms.Information may be obtained. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0221",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.4,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.6.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-38542"
}
]
},
"cve": "CVE-2021-38542",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2021-38542",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 4.9,
"id": "CNVD-2022-01767",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.9,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-38542",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-38542",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2022-01767",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-086",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-38542",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information. Apache James Exists in the use of cryptographic algorithms.Information may be obtained. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-38542",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/04/1",
"trust": 3.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/09/20/1",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-01767",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010404",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-38542",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"id": "VAR-202201-0221",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
}
],
"trust": 0.8536231999999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
}
]
},
"last_update_date": "2023-12-18T12:55:16.247000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://www.apache.org/"
},
{
"title": "Patch for Apache James Command Injection Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/312706"
},
{
"title": "Apache James Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=176872"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2021-38542 "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-28220 "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-327",
"trust": 1.0
},
{
"problemtype": "Use of incomplete or dangerous cryptographic algorithms (CWE-327) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.8,
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/1"
},
{
"trust": 2.5,
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-38542"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010404"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/327.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2021-38542"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"date": "2023-01-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"date": "2022-01-04T09:15:07.267000",
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"date": "2022-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"date": "2022-10-27T00:00:00",
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"date": "2023-01-24T07:31:00",
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"date": "2022-10-27T11:39:19.073000",
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"date": "2022-10-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0 Vulnerability in using cryptographic algorithms in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "encryption problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
],
"trust": 0.6
}
}
var-201710-0923
Vulnerability from variot
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library. Apache James Server Contains a vulnerability in the deserialization of unreliable data.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apache James is prone to an arbitrary command-execution vulnerability. This may aid in further attacks. Apache James versions prior to 3.0.1 are affected
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201710-0923",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james server",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "3.0.0"
},
{
"model": "james server",
"scope": "lt",
"trust": 0.8,
"vendor": "apache",
"version": "3.0.1"
},
{
"model": "james server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "3.0.0"
},
{
"model": "james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "3.0"
},
{
"model": "james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2"
},
{
"model": "james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "1.8.2"
},
{
"model": "james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "1.8.1"
},
{
"model": "james",
"scope": "ne",
"trust": 0.3,
"vendor": "apache",
"version": "3.0.1"
}
],
"sources": [
{
"db": "BID",
"id": "101532"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-12628"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Benoit Tellier.",
"sources": [
{
"db": "BID",
"id": "101532"
}
],
"trust": 0.3
},
"cve": "CVE-2017-12628",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 7.2,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2017-12628",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2017-12628",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-12628",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201710-999",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2017-12628",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library. Apache James Server Contains a vulnerability in the deserialization of unreliable data.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apache James is prone to an arbitrary command-execution vulnerability. This may aid in further attacks. \nApache James versions prior to 3.0.1 are affected",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "BID",
"id": "101532"
},
{
"db": "VULMON",
"id": "CVE-2017-12628"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-12628",
"trust": 2.8
},
{
"db": "BID",
"id": "101532",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509",
"trust": 0.8
},
{
"db": "NSFOCUS",
"id": "37865",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2017-12628",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"db": "BID",
"id": "101532"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"id": "VAR-201710-0923",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T12:57:11.713000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Announce: Apache James 3.0.1 security release",
"trust": 0.8,
"url": "https://www.mail-archive.com/server-user@james.apache.org/msg15633.html"
},
{
"title": "Apache James JMX Server security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=75891"
},
{
"title": "Java-Deserialization-Cheat-Sheet",
"trust": 0.1,
"url": "https://github.com/klausware/java-deserialization-cheat-sheet "
},
{
"title": "Java-Deserialization-Cheat-Sheet",
"trust": 0.1,
"url": "https://github.com/grrrdog/java-deserialization-cheat-sheet "
},
{
"title": "Java-Deserialization-CVEs",
"trust": 0.1,
"url": "https://github.com/palindromelabs/java-deserialization-cves "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-502",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.2,
"url": "http://www.securityfocus.com/bid/101532"
},
{
"trust": 1.1,
"url": "https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html"
},
{
"trust": 0.9,
"url": "https://www.mail-archive.com/server-user@james.apache.org/msg15633.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12628"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-12628"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/37865"
},
{
"trust": 0.3,
"url": "http://httpd.apache.org/"
},
{
"trust": 0.3,
"url": "http://seclists.org/oss-sec/2017/q4/109"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/502.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/klausware/java-deserialization-cheat-sheet"
},
{
"trust": 0.1,
"url": "https://github.com/grrrdog/java-deserialization-cheat-sheet"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"db": "BID",
"id": "101532"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"db": "BID",
"id": "101532"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-10-20T00:00:00",
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"date": "2017-10-20T00:00:00",
"db": "BID",
"id": "101532"
},
{
"date": "2017-11-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"date": "2017-10-20T15:29:00.283000",
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"date": "2017-10-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"date": "2017-10-20T00:00:00",
"db": "BID",
"id": "101532"
},
{
"date": "2017-11-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"date": "2023-11-07T02:38:27.070000",
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"date": "2017-11-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James Server Vulnerable to unreliable data deserialization",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
],
"trust": 0.6
}
}
var-202201-0203
Vulnerability from variot
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted. Apache James Exists in a past traversal vulnerability.Information may be obtained and information may be tampered with. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation. An attacker could exploit this vulnerability to perform a path traversal attack to read and write any file
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0203",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "3.6.2"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "3.6.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.6.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40525"
}
]
},
"cve": "CVE-2021-40525",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.4,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2021-40525",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CNVD-2022-01768",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-40525",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-40525",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2022-01768",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-085",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted. Apache James Exists in a past traversal vulnerability.Information may be obtained and information may be tampered with. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation. An attacker could exploit this vulnerability to perform a path traversal attack to read and write any file",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "VULMON",
"id": "CVE-2021-40525"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-40525",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/04/4",
"trust": 3.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/02/07/1",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-01768",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010404",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-40525",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "VULMON",
"id": "CVE-2021-40525"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"id": "VAR-202201-0203",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
}
],
"trust": 0.8536231999999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
}
]
},
"last_update_date": "2023-12-18T12:55:16.115000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://www.apache.org/"
},
{
"title": "Patch for Apache James Path Traversal Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/312701"
},
{
"title": "Apache James Repair measures for path traversal vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=176871"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.0
},
{
"problemtype": "Path traversal (CWE-22) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.8,
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/4"
},
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/02/07/1"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-40525"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010404"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "VULMON",
"id": "CVE-2021-40525"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "VULMON",
"id": "CVE-2021-40525"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40525"
},
{
"date": "2023-01-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"date": "2022-01-04T09:15:07.423000",
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"date": "2022-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40525"
},
{
"date": "2023-01-24T07:17:00",
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"date": "2022-03-29T16:34:56.937000",
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"date": "2022-02-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James Path Traversal Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
],
"trust": 0.6
}
}
var-202202-0164
Vulnerability from variot
Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used). Apache James contains a path traversal vulnerability. This vulnerability is CVE-2021-40525 This is a vulnerability caused by an incomplete fix for.Information may be obtained
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202202-0164",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:3.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"cve": "CVE-2022-22931",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2022-22931",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2022-22931",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-22931",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202202-539",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2022-22931",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used). Apache James contains a path traversal vulnerability. This vulnerability is CVE-2021-40525 This is a vulnerability caused by an incomplete fix for.Information may be obtained",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "VULMON",
"id": "CVE-2022-22931"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-22931",
"trust": 3.3
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/02/07/1",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-22931",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"id": "VAR-202202-0164",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2024-02-13T22:30:00.129000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2022-22931",
"trust": 0.8,
"url": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr"
},
{
"title": "Apache James Repair measures for path traversal vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=182160"
},
{
"title": "CVE-2022-XXXX",
"trust": 0.1,
"url": "https://github.com/alphabugx/cve-2022-23305 "
},
{
"title": "CVE-2022-XXXX",
"trust": 0.1,
"url": "https://github.com/alphabugx/cve-2022-rce "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.0
},
{
"problemtype": "Path traversal (CWE-22) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.openwall.com/lists/oss-security/2022/02/07/1"
},
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22931"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/alphabugx/cve-2022-23305"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-07T00:00:00",
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"date": "2023-05-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"date": "2022-02-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"date": "2022-02-07T19:15:08.300000",
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-15T00:00:00",
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"date": "2023-05-19T02:38:00",
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"date": "2022-02-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"date": "2022-02-15T20:33:49.447000",
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0 Past traversal vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
}
],
"trust": 0.6
}
}
var-201904-1550
Vulnerability from variot
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. Apache PDFBox Is XML An external entity vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Attackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition. This may lead to further attacks. Apache PDFBox 2.0.14 is vulnerable
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201904-1550",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "pdfbox",
"scope": "eq",
"trust": 2.1,
"vendor": "apache",
"version": "2.0.14"
},
{
"model": "communications session report manager",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0.0"
},
{
"model": "banking trade finance process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.3"
},
{
"model": "webcenter sites",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "banking corporate lending process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.5"
},
{
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.0"
},
{
"model": "james",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "3.3.0"
},
{
"model": "banking virtual account management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.3.0"
},
{
"model": "james",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "3.4.0"
},
{
"model": "banking credit facilities process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.2"
},
{
"model": "banking trade finance process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.2"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.59"
},
{
"model": "banking supply chain finance",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.3"
},
{
"model": "banking virtual account management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.2"
},
{
"model": "hyperion financial reporting",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.1.2.4"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "30"
},
{
"model": "banking trade finance process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.5"
},
{
"model": "banking credit facilities process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.5"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "29"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.58"
},
{
"model": "banking virtual account management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.5"
},
{
"model": "banking corporate lending process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.3"
},
{
"model": "banking supply chain finance",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.2"
},
{
"model": "hyperion financial reporting",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.2.6.0"
},
{
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18.0.3"
},
{
"model": "webcenter sites",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "communications messaging server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.1"
},
{
"model": "banking supply chain finance",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.5"
},
{
"model": "banking corporate lending process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.2"
},
{
"model": "communications session report manager",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.4.0"
},
{
"model": "banking credit facilities process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.3"
},
{
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.0.6"
},
{
"model": "jboss fuse service works",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "jboss fuse",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "jboss fuse",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "pdfbox",
"scope": "ne",
"trust": 0.3,
"vendor": "apache",
"version": "2.0.15"
}
],
"sources": [
{
"db": "BID",
"id": "107904"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:pdfbox:2.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:3.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:james:3.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_virtual_account_management:14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_virtual_account_management:14.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "8.2.4.0",
"versionStartIncluding": "8.0.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-0228"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kurt Boberg of DocuSign.",
"sources": [
{
"db": "BID",
"id": "107904"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
],
"trust": 0.9
},
"cve": "CVE-2019-0228",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2019-0228",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-0228",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-0228",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201904-638",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2019-0228",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. Apache PDFBox Is XML An external entity vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. \nAttackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition. This may lead to further attacks. \nApache PDFBox 2.0.14 is vulnerable",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "BID",
"id": "107904"
},
{
"db": "VULMON",
"id": "CVE-2019-0228"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-0228",
"trust": 2.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2019/04/12/1",
"trust": 0.9
},
{
"db": "BID",
"id": "107904",
"trust": 0.9
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486",
"trust": 0.8
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021072725",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021042320",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021042642",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.1293",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2019-0228",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"db": "BID",
"id": "107904"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"id": "VAR-201904-1550",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T11:06:43.194000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "[SECURITY] CVE-2019-0228 Apache PDFBox XML External Entity vulnerability",
"trust": 0.8,
"url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3cusers.pdfbox.apache.org%3e"
},
{
"title": "Apache PDFBox Fixes for code issue vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=91438"
},
{
"title": "SkillSearchEngine",
"trust": 0.1,
"url": "https://github.com/bluesnbrews/skillsearchengine "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/cgcl-codes/phunter "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-611",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
},
{
"trust": 1.7,
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"trust": 1.7,
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"trust": 1.7,
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0228"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd%40%3cserver-dev.james.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4%40%3ccommits.tika.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c%40%3ccommits.tika.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/popoghj5cvmuvcrqu7apban5ivzgzfdx/"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6hkvptjwzgub4mh4aaowmrjhrdbyfhgj/"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2%40%3cserver-dev.james.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d%40%3cusers.pdfbox.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79%40%3cusers.pdfbox.apache.org%3e"
},
{
"trust": 0.9,
"url": "https://pdfbox.apache.org/"
},
{
"trust": 0.9,
"url": "https://issues.apache.org/jira/browse/pdfbox-4505"
},
{
"trust": 0.9,
"url": "https://github.com/apache/pdfbox/blob/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/fdf/fdfannotationstamp.java#l144-l164"
},
{
"trust": 0.9,
"url": "https://github.com/apache/pdfbox/releases"
},
{
"trust": 0.9,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1699740"
},
{
"trust": 0.9,
"url": "https://www.openwall.com/lists/oss-security/2019/04/12/1"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/cve/cve-2019-0228"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-0228"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c@%3ccommits.tika.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3cusers.pdfbox.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/popoghj5cvmuvcrqu7apban5ivzgzfdx/"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6hkvptjwzgub4mh4aaowmrjhrdbyfhgj/"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d@%3cusers.pdfbox.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4@%3ccommits.tika.apache.org%3e"
},
{
"trust": 0.6,
"url": "httpd.apache.org/"
},
{
"trust": 0.6,
"url": "http://"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2@%3cserver-dev.james.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd@%3cserver-dev.james.apache.org%3e"
},
{
"trust": 0.6,
"url": "http://mail-archives.apache.org/mod"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/apache-pdfbox-external-xml-entity-injection-30277"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-pdfbox-affect-apache-solr-shipped-with-ibm-operations-analytics-log-analysis-cve-2019-0228/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021072725"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021042642"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-security-vulnerabilities/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-pdfbox-affects-ibm-control-center-cve-2019-0228/"
},
{
"trust": 0.6,
"url": "https://www.oracle.com/security-alerts/cpujul2021.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021042320"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/79094"
},
{
"trust": 0.6,
"url": "https://www.securityfocus.com/bid/107904"
},
{
"trust": 0.3,
"url": "http://httpd.apache.org/"
},
{
"trust": 0.3,
"url": "https://github.com/apache/pdfbox"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/611.html"
},
{
"trust": 0.1,
"url": "https://tools.cisco.com/security/center/viewalert.x?alertid=60042"
},
{
"trust": 0.1,
"url": "https://github.com/bluesnbrews/skillsearchengine"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"db": "BID",
"id": "107904"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"db": "BID",
"id": "107904"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-17T00:00:00",
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"date": "2019-04-15T00:00:00",
"db": "BID",
"id": "107904"
},
{
"date": "2019-05-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"date": "2019-04-17T15:29:00.703000",
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2019-04-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"date": "2019-04-15T00:00:00",
"db": "BID",
"id": "107904"
},
{
"date": "2019-05-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"date": "2023-11-07T03:01:52.850000",
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-10-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache PDFBox In XML External entity vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
}
],
"trust": 0.6
}
}
var-202201-0205
Vulnerability from variot
In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Apache James Exists in an infinite loop vulnerability.Service operation interruption (DoS) It may be in a state. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0205",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.4,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.6.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40111"
}
]
},
"cve": "CVE-2021-40111",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-40111",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.0,
"id": "CNVD-2022-01769",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-40111",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-40111",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2022-01769",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-087",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Apache James Exists in an infinite loop vulnerability.Service operation interruption (DoS) It may be in a state. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "VULMON",
"id": "CVE-2021-40111"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-40111",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/04/3",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-01769",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010404",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-40111",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "VULMON",
"id": "CVE-2021-40111"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"id": "VAR-202201-0205",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
}
],
"trust": 0.8536231999999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
}
]
},
"last_update_date": "2023-12-18T12:55:16.168000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://www.apache.org/"
},
{
"title": "Patch for Apache James Denial of Service Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/312711"
},
{
"title": "Apache James Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=176873"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-835",
"trust": 1.0
},
{
"problemtype": "infinite loop (CWE-835) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.8,
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/3"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-40111"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010404"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "VULMON",
"id": "CVE-2021-40111"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "VULMON",
"id": "CVE-2021-40111"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40111"
},
{
"date": "2023-01-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"date": "2022-01-04T09:15:07.377000",
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"date": "2022-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40111"
},
{
"date": "2023-01-24T07:22:00",
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"date": "2022-01-12T20:06:25.853000",
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"date": "2022-01-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0 Infinite loop vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
],
"trust": 0.6
}
}
var-202209-0423
Vulnerability from variot
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests. Apache Software Foundation of Apache James Contains a command injection vulnerability.Service operation interruption (DoS) It may be in a state
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202209-0423",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.8,
"vendor": "apache",
"version": "3.7.0"
},
{
"model": "james",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "3.6.2"
},
{
"model": "james",
"scope": "lte",
"trust": 0.8,
"vendor": "apache",
"version": "3.6.2 and earlier"
},
{
"model": "james",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:3.7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.6.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-28220"
}
]
},
"cve": "CVE-2022-28220",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2022-28220",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-28220",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202209-494",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests. Apache Software Foundation of Apache James Contains a command injection vulnerability.Service operation interruption (DoS) It may be in a state",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "VULMON",
"id": "CVE-2022-28220"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-28220",
"trust": 3.3
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/09/20/1",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016664",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202209-494",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-28220",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-28220"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"id": "VAR-202209-0423",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T12:55:16.223000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Apache James Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=207502"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-77",
"trust": 1.0
},
{
"problemtype": "Command injection (CWE-77) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
},
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28220"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-28220/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-28220"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-28220"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-09-08T00:00:00",
"db": "VULMON",
"id": "CVE-2022-28220"
},
{
"date": "2023-10-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"date": "2022-09-08T08:15:07.813000",
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"date": "2022-09-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-09-08T00:00:00",
"db": "VULMON",
"id": "CVE-2022-28220"
},
{
"date": "2023-10-05T08:34:00",
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"date": "2022-09-30T19:16:02.960000",
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"date": "2022-09-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0Software\u00a0Foundation\u00a0 of \u00a0Apache\u00a0James\u00a0 Command injection vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "command injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
],
"trust": 0.6
}
}
var-202304-0065
Vulnerability from variot
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user.
Administrators are advised to disable JMX, or set up a JMX password.
Note that version 3.7.4 onward will set up a JMX password automatically for Guice users. Apache Software Foundation of Apache James Exists in a vulnerability related to the lack of authentication.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202304-0065",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "3.7.4"
},
{
"model": "james",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": "3.7.4"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.7.4",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-26269"
}
]
},
"cve": "CVE-2023-26269",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2023-26269",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-26269",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202304-054",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user. \n\nAdministrators are advised to disable JMX, or set up a JMX password. \n\nNote that version 3.7.4 onward will set up a JMX password automatically for Guice users. Apache Software Foundation of Apache James Exists in a vulnerability related to the lack of authentication.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "VULMON",
"id": "CVE-2023-26269"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-26269",
"trust": 3.3
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2023/04/18/3",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006511",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202304-054",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2023-26269",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-26269"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"id": "VAR-202304-0065",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T13:50:34.288000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Apache James Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=232731"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-862",
"trust": 1.0
},
{
"problemtype": "Lack of authentication (CWE-862) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
},
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-26269"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2023-26269/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/862.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-26269"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2023-26269"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-04-03T00:00:00",
"db": "VULMON",
"id": "CVE-2023-26269"
},
{
"date": "2023-11-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"date": "2023-04-03T08:15:07.087000",
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"date": "2023-04-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-04-03T00:00:00",
"db": "VULMON",
"id": "CVE-2023-26269"
},
{
"date": "2023-11-15T04:52:00",
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"date": "2023-04-18T03:15:07.593000",
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"date": "2023-04-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0Software\u00a0Foundation\u00a0 of \u00a0Apache\u00a0James\u00a0 Vulnerability regarding lack of authentication in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
],
"trust": 0.6
}
}