Search criteria
55 vulnerabilities found for james by apache
VAR-202301-0598
Vulnerability from variot - Updated: 2024-07-23 19:32Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.
We recommend users to upgrade to MIME4j version 0.8.9 or later. Apache James MIME4J There is a vulnerability in plaintext storage of important information.Information may be obtained. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 7 security update Advisory ID: RHSA-2023:1512-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2023:1512 Issue date: 2023-03-29 CVE Names: CVE-2022-1471 CVE-2022-4492 CVE-2022-38752 CVE-2022-41853 CVE-2022-41854 CVE-2022-41881 CVE-2022-45787 CVE-2023-0482 CVE-2023-1108 =====================================================================
- Summary:
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64
- Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
-
SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
-
hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)
-
Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
-
undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
-
snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
-
dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
-
codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
-
apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider (CVE-2022-45787)
-
RESTEasy: creation of insecure temp files (CVE-2023-0482)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode 2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow 2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client 2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files 2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-23572 - (7.4.z) Upgrade jbossws-spi from 3.3.1.Final-redhat-00001 to 3.4.0.Final-redhat-00001
JBEAP-24120 - Tracker bug for the EAP 7.4.10 release for RHEL-7
JBEAP-24172 - (7.4.z) Upgrade jbossws-cxf from 5.4.4.Final-redhat-00001 to 5.4.8.Final-redhat-00001
JBEAP-24182 - (7.4.z) Upgrade wildfly-http-ejb-client from 1.1.13.SP1-redhat-00001 to 1.1.16.Final-redhat-00002
JBEAP-24220 - GSS Upgrade JBoss Metadata from 13.0.0.Final-redhat-00001 to 13.4.0.Final-redhat-00001
JBEAP-24254 - JDK17, CLI script to update security doesn't apply to microprofile
JBEAP-24292 - (7.4.z) Upgrade Artemis Native from 1.0.2.redhat-00001 to 1.0.2.redhat-00004
JBEAP-24339 - (7.4.z) Upgrade Undertow from 2.2.22.SP3-redhat-00001 to 2.2.23.SP1
JBEAP-24341 - (7.4.z) Upgrade Ironjacamar from 1.5.10.Final-redhat-00001 to 1.5.11.Final-redhat-00001
JBEAP-24363 - (7.4.z) Upgrade org.jboss.spec.javax.el:jboss-el-api_3.0_spec from 2.0.0.Final-redhat-00001 to 2.0.1.Final
JBEAP-24372 - (7.4.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012
JBEAP-24380 - (7.4.z) Upgrade jastow from 2.0.11.Final-redhat-00001 to 2.0.14.Final-redhat-00001
JBEAP-24383 - GSS Upgrade artemis-wildfly-integration from 1.0.4 to 1.0.7
JBEAP-24384 - (7.4.z) Upgrade netty from 4.1.77.Final-redhat-00001 to 4.1.86.Final
JBEAP-24385 - (7.4.z) Upgrade WildFly Core from 15.0.22.Final-redhat-00001 to 15.0.23.Final-redhat-00001
JBEAP-24395 - GSS Upgrade jboss-ejb-client from 4.0.49.Final-redhat-00001 to 4.0.50.Final
JBEAP-24507 - (7.4.z) RESTEASY-3285 Upgrade resteasy 3.15.x to mime4j 0.8.9
JBEAP-24535 - GSS UNDERTOW-2239 - Infinite loop in SslConduit during close on JDK 11
JBEAP-24574 - PST Upgrade snakeyaml from 1.33.0.redhat-00001 to 1.33.SP1.redhat-00001
JBEAP-24588 - GSS RHEL9 rpms: yum groupinstall jboss-eap7 installing JDK11 instead of JDK8 with EAP 7.4 Update 9
JBEAP-24605 - PST Upgrade undertow from 2.2.23.SP1-redhat-00001 to 2.2.23.SP2
JBEAP-24618 - (7.4.z) Upgrade WildFly Core from 15.0.23.Final-redhat-00001 to 15.0.25.Final-redhat-00001
- Package List:
Red Hat JBoss EAP 7.4 for RHEL 7 Server:
Source: eap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.src.rpm eap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.src.rpm eap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.src.rpm eap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.src.rpm eap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.src.rpm eap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.src.rpm eap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm eap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.src.rpm eap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.src.rpm eap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.src.rpm eap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.src.rpm eap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.src.rpm eap7-wildfly-http-client-1.1.16-1.Final_redhat_00002.1.el7eap.src.rpm
noarch: eap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.noarch.rpm eap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.noarch.rpm eap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-cachestore-jdbc-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-cachestore-remote-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-client-hotrod-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-component-annotations-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-core-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-spi-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-deployers-common-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-jdbc-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-validator-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-appclient-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-common-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-ear-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-ejb-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-web-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm eap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-all-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-buffer-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-haproxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http2-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-memcache-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-mqtt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-redis-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-smtp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-socks-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-stomp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-xml-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-proxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-classes-macos-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-kqueue-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-native-unix-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-rxtx-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-sctp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-udt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-picketlink-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-common-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-config-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-idm-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-idm-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-idm-simple-schema-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-atom-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-cdi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-client-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-crypto-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jackson-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jackson2-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jaxb-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jaxrs-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jettison-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jose-jwt-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jsapi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-json-binding-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-json-p-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-multipart-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-rxjava2-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-spring-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-validator-provider-11-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-yaml-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.noarch.rpm eap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-client-common-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-ejb-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-naming-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-transaction-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-modules-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm
x86_64: eap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm eap7-artemis-native-debuginfo-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm eap7-artemis-native-wildfly-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm eap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm eap7-netty-transport-native-epoll-debuginfo-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-4492 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-41853 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-41881 https://access.redhat.com/security/cve/CVE-2022-45787 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-1108 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBZCT+zNzjgjWX9erEAQjgHg/+JaRL/MORx2YrlQ2vSQf3wEHiXL7cSG5b 81HEug+HhLXEzqjRLmFtsqM+eBYFMawokVsOX0PBat7yyJUcwttn7NdO8MlEvrKA Juh3RHqCSJPE3X5N7OnKTkdJUs7Zxfvmzo6mIly321gjUl51bxl/yVPzXuBiI89S rPgI1n6wdp4Tb/HDxZ5h2rAX7L8xckVzHnr3ld8MG3Mi2CqrvSnLkYy1YsAxiSrF Q8tT1dCnCAjUEA2wULxq0a+PrH5cCpkBJ8d6w5Y9lxGKuF1dYzUQAIaDuCvTw4w4 7i5g5Gt3X+/uks/8y00NWxDOTHWnzvlHTT7NWZAtSD1PwknaGQJ4dGPJMUo+Y2Tt cVuxyhcfQMixEc6+P6EwJrdWuaa6MdU8rceWKFc/a8X//BefU0chSAGi9CfXsC1y WBR75mfFZleVPRoJtQ0ZLz+Se0rsKwxV9F/FbHlcAhCvaZzbDi2PAHH3YhPqMcmu JdgRJlT/xBDeZMqb+4U9aiwKox53tuXW7ACUZeN8dlP/pCLiiFFaW0jaObR5zfVy R51T2b2Lyt7HHkxp/GGXNOfZHjkgYDHGssduzDADhMthLPLJrJb9jQdWRrkjFagt 4agw2EM+/mtBpB4Wcsp1CXb61UfU4jv0O5BPIvHx81l+vqZRKVuICmCb4FI/wnEi fsWX8UaljMw= =qlyL -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . You can also manage user accounts for web applications, mobile applications, and RESTful web services. Description:
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Bugs fixed (https://bugzilla.redhat.com/):
2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider 2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files 2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks 2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow 2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray 2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol
- JIRA issues fixed (https://issues.redhat.com/):
QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4
QUARKUS-2787 - Rest Data Panache: Correct Open API integration
QUARKUS-2846 - Ensure that new line chars don't break Panache projection
QUARKUS-2978 - ExceptionMapper is not working in DEV mode
QUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected
QUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled
QUARKUS-3161 - Fix security-csrf-prevention.adoc
QUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage
QUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases
QUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13
QUARKUS-3169 - New home for Narayana LRA coordinator Docker images
QUARKUS-3170 - Fix truststore REST Client config when password is not set
QUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime
QUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headers
QUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest
QUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them
QUARKUS-3177 - Fix copy paste error in qute docs
QUARKUS-3178 - Pass --userns=keep-id to podman only when in rootless mode
QUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request
QUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies
QUARKUS-3184 - Use SchemaType.ARRAY instead of "ARRAY" for native support
QUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream
QUARKUS-3187 - Allow context propagation for OpenTelemetry
QUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest
QUARKUS-3191 - Drop ':z' bind option when using MacOS and Podman
QUARKUS-3194 - Exclude Netty's reflection configuration files
QUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268)
QUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202301-0598",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "0.8.9"
},
{
"model": "hitachi ops center common services",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "james",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:mime4j:*:*:*",
"cpe_name": [],
"versionEndExcluding": "0.8.9",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "171600"
},
{
"db": "PACKETSTORM",
"id": "171593"
},
{
"db": "PACKETSTORM",
"id": "171664"
},
{
"db": "PACKETSTORM",
"id": "172284"
},
{
"db": "PACKETSTORM",
"id": "172281"
},
{
"db": "PACKETSTORM",
"id": "172265"
},
{
"db": "PACKETSTORM",
"id": "173213"
}
],
"trust": 0.7
},
"cve": "CVE-2022-45787",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-45787",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-45787",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202301-447",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. \n\nWe recommend users to upgrade to MIME4j version 0.8.9 or later. Apache James MIME4J There is a vulnerability in plaintext storage of important information.Information may be obtained. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 7 security update\nAdvisory ID: RHSA-2023:1512-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2023:1512\nIssue date: 2023-03-29\nCVE Names: CVE-2022-1471 CVE-2022-4492 CVE-2022-38752 \n CVE-2022-41853 CVE-2022-41854 CVE-2022-41881 \n CVE-2022-45787 CVE-2023-0482 CVE-2023-1108 \n=====================================================================\n\n1. Summary:\n\nA security update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.4 for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64\n\n3. Description:\n\nRed Hat JBoss Enterprise Application Platform 7 is a platform for Java\napplications based on the WildFly application runtime. \n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves\nas a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9\nand includes bug fixes and enhancements. See the Red Hat JBoss Enterprise\nApplication Platform 7.4.10 Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release. \n\nSecurity Fix(es):\n\n* SnakeYaml: Constructor Deserialization Remote Code Execution\n(CVE-2022-1471)\n\n* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)\n\n* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)\n\n* undertow: Server identity in https connection is not checked by the\nundertow client (CVE-2022-4492)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode\n(CVE-2022-38752)\n\n* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS\n(CVE-2022-41881)\n\n* apache-james-mime4j: Temporary File Information Disclosure in MIME4J\nTempFileStorageProvider (CVE-2022-45787)\n\n* RESTEasy: creation of insecure temp files (CVE-2023-0482)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode\n2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack\n2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution\n2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow\n2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client\n2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS\n2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider\n2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files\n2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-23572 - (7.4.z) Upgrade jbossws-spi from 3.3.1.Final-redhat-00001 to 3.4.0.Final-redhat-00001\nJBEAP-24120 - Tracker bug for the EAP 7.4.10 release for RHEL-7\nJBEAP-24172 - (7.4.z) Upgrade jbossws-cxf from 5.4.4.Final-redhat-00001 to 5.4.8.Final-redhat-00001\nJBEAP-24182 - (7.4.z) Upgrade wildfly-http-ejb-client from 1.1.13.SP1-redhat-00001 to 1.1.16.Final-redhat-00002\nJBEAP-24220 - [GSS](7.4.z) Upgrade JBoss Metadata from 13.0.0.Final-redhat-00001 to 13.4.0.Final-redhat-00001\nJBEAP-24254 - JDK17, CLI script to update security doesn\u0027t apply to microprofile\nJBEAP-24292 - (7.4.z) Upgrade Artemis Native from 1.0.2.redhat-00001 to 1.0.2.redhat-00004\nJBEAP-24339 - (7.4.z) Upgrade Undertow from 2.2.22.SP3-redhat-00001 to 2.2.23.SP1\nJBEAP-24341 - (7.4.z) Upgrade Ironjacamar from 1.5.10.Final-redhat-00001 to 1.5.11.Final-redhat-00001\nJBEAP-24363 - (7.4.z) Upgrade org.jboss.spec.javax.el:jboss-el-api_3.0_spec from 2.0.0.Final-redhat-00001 to 2.0.1.Final\nJBEAP-24372 - (7.4.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012\nJBEAP-24380 - (7.4.z) Upgrade jastow from 2.0.11.Final-redhat-00001 to 2.0.14.Final-redhat-00001\nJBEAP-24383 - [GSS](7.4.z) Upgrade artemis-wildfly-integration from 1.0.4 to 1.0.7\nJBEAP-24384 - (7.4.z) Upgrade netty from 4.1.77.Final-redhat-00001 to 4.1.86.Final\nJBEAP-24385 - (7.4.z) Upgrade WildFly Core from 15.0.22.Final-redhat-00001 to 15.0.23.Final-redhat-00001\nJBEAP-24395 - [GSS](7.4.z) Upgrade jboss-ejb-client from 4.0.49.Final-redhat-00001 to 4.0.50.Final\nJBEAP-24507 - (7.4.z) RESTEASY-3285 Upgrade resteasy 3.15.x to mime4j 0.8.9\nJBEAP-24535 - [GSS](7.4.z) UNDERTOW-2239 - Infinite loop in `SslConduit` during close on JDK 11\nJBEAP-24574 - [PST](7.4.z) Upgrade snakeyaml from 1.33.0.redhat-00001 to 1.33.SP1.redhat-00001\nJBEAP-24588 - [GSS](7.4.z) RHEL9 rpms: yum groupinstall jboss-eap7 installing JDK11 instead of JDK8 with EAP 7.4 Update 9\nJBEAP-24605 - [PST](7.4.z) Upgrade undertow from 2.2.23.SP1-redhat-00001 to 2.2.23.SP2\nJBEAP-24618 - (7.4.z) Upgrade WildFly Core from 15.0.23.Final-redhat-00001 to 15.0.25.Final-redhat-00001\n\n7. Package List:\n\nRed Hat JBoss EAP 7.4 for RHEL 7 Server:\n\nSource:\neap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.src.rpm\neap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.src.rpm\neap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.src.rpm\neap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.src.rpm\neap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.src.rpm\neap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.src.rpm\neap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.src.rpm\neap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.src.rpm\neap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.src.rpm\neap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.src.rpm\neap7-wildfly-http-client-1.1.16-1.Final_redhat_00002.1.el7eap.src.rpm\n\nnoarch:\neap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.noarch.rpm\neap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.noarch.rpm\neap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-cachestore-jdbc-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-cachestore-remote-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-client-hotrod-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-component-annotations-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-core-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-hibernate-cache-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-hibernate-cache-spi-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-hibernate-cache-v53-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-common-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-common-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-common-spi-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-core-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-core-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-deployers-common-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-jdbc-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-validator-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-appclient-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-common-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-ear-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-ejb-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-metadata-web-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm\neap7-jboss-server-migration-cli-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm\neap7-jboss-server-migration-core-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm\neap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-all-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-buffer-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-haproxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-http-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-http2-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-memcache-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-mqtt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-redis-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-smtp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-socks-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-stomp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-xml-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-handler-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-handler-proxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-dns-classes-macos-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-classes-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-classes-kqueue-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-native-unix-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-rxtx-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-sctp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-udt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-picketlink-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-common-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-config-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-idm-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-idm-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-idm-simple-schema-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-picketlink-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm\neap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-atom-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-cdi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-client-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-crypto-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jackson-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jackson2-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jaxb-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jaxrs-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jettison-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jose-jwt-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jsapi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-json-binding-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-json-p-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-multipart-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-rxjava2-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-spring-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-validator-provider-11-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-yaml-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.noarch.rpm\neap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-http-client-common-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-http-ejb-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-http-naming-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-http-transaction-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-java-jdk11-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-java-jdk8-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-javadocs-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm\neap7-wildfly-modules-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm\n\nx86_64:\neap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm\neap7-artemis-native-debuginfo-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm\neap7-artemis-native-wildfly-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm\neap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm\neap7-netty-transport-native-epoll-debuginfo-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2022-1471\nhttps://access.redhat.com/security/cve/CVE-2022-4492\nhttps://access.redhat.com/security/cve/CVE-2022-38752\nhttps://access.redhat.com/security/cve/CVE-2022-41853\nhttps://access.redhat.com/security/cve/CVE-2022-41854\nhttps://access.redhat.com/security/cve/CVE-2022-41881\nhttps://access.redhat.com/security/cve/CVE-2022-45787\nhttps://access.redhat.com/security/cve/CVE-2023-0482\nhttps://access.redhat.com/security/cve/CVE-2023-1108\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/\n\n9. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBZCT+zNzjgjWX9erEAQjgHg/+JaRL/MORx2YrlQ2vSQf3wEHiXL7cSG5b\n81HEug+HhLXEzqjRLmFtsqM+eBYFMawokVsOX0PBat7yyJUcwttn7NdO8MlEvrKA\nJuh3RHqCSJPE3X5N7OnKTkdJUs7Zxfvmzo6mIly321gjUl51bxl/yVPzXuBiI89S\nrPgI1n6wdp4Tb/HDxZ5h2rAX7L8xckVzHnr3ld8MG3Mi2CqrvSnLkYy1YsAxiSrF\nQ8tT1dCnCAjUEA2wULxq0a+PrH5cCpkBJ8d6w5Y9lxGKuF1dYzUQAIaDuCvTw4w4\n7i5g5Gt3X+/uks/8y00NWxDOTHWnzvlHTT7NWZAtSD1PwknaGQJ4dGPJMUo+Y2Tt\ncVuxyhcfQMixEc6+P6EwJrdWuaa6MdU8rceWKFc/a8X//BefU0chSAGi9CfXsC1y\nWBR75mfFZleVPRoJtQ0ZLz+Se0rsKwxV9F/FbHlcAhCvaZzbDi2PAHH3YhPqMcmu\nJdgRJlT/xBDeZMqb+4U9aiwKox53tuXW7ACUZeN8dlP/pCLiiFFaW0jaObR5zfVy\nR51T2b2Lyt7HHkxp/GGXNOfZHjkgYDHGssduzDADhMthLPLJrJb9jQdWRrkjFagt\n4agw2EM+/mtBpB4Wcsp1CXb61UfU4jv0O5BPIvHx81l+vqZRKVuICmCb4FI/wnEi\nfsWX8UaljMw=\n=qlyL\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. You can also manage\nuser accounts for web applications, mobile applications, and RESTful web\nservices. Description:\n\nRed Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak\nproject, that provides authentication and standards-based single sign-on\ncapabilities for web and mobile applications. Bugs fixed (https://bugzilla.redhat.com/):\n\n2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider\n2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files\n2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files\n2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks\n2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow\n2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption\n2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray\n2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol\n\n5. JIRA issues fixed (https://issues.redhat.com/):\n\nQUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4\nQUARKUS-2787 - Rest Data Panache: Correct Open API integration\nQUARKUS-2846 - Ensure that new line chars don\u0027t break Panache projection\nQUARKUS-2978 - ExceptionMapper\u003cWebApplicationException\u003e is not working in DEV mode\nQUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected\nQUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled\nQUARKUS-3161 - Fix security-csrf-prevention.adoc\nQUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage\nQUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases\nQUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13\nQUARKUS-3169 - New home for Narayana LRA coordinator Docker images\nQUARKUS-3170 - Fix truststore REST Client config when password is not set\nQUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime\nQUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headers\nQUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest\nQUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them\nQUARKUS-3177 - Fix copy paste error in qute docs\nQUARKUS-3178 - Pass `--userns=keep-id` to podman only when in rootless mode\nQUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request\nQUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies\nQUARKUS-3184 - Use SchemaType.ARRAY instead of \"ARRAY\" for native support\nQUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream\nQUARKUS-3187 - Allow context propagation for OpenTelemetry\nQUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest\nQUARKUS-3191 - Drop \u0027:z\u0027 bind option when using MacOS and Podman\nQUARKUS-3194 - Exclude Netty\u0027s reflection configuration files\nQUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268)\nQUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-45787"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"db": "PACKETSTORM",
"id": "171600"
},
{
"db": "PACKETSTORM",
"id": "171593"
},
{
"db": "PACKETSTORM",
"id": "171664"
},
{
"db": "PACKETSTORM",
"id": "172284"
},
{
"db": "PACKETSTORM",
"id": "172281"
},
{
"db": "PACKETSTORM",
"id": "172265"
},
{
"db": "PACKETSTORM",
"id": "173213"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-45787",
"trust": 4.0
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2023.3663",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.1879",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.1925",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.3726",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-45787",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171600",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171593",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171664",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172284",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172281",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172265",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "173213",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "PACKETSTORM",
"id": "171600"
},
{
"db": "PACKETSTORM",
"id": "171593"
},
{
"db": "PACKETSTORM",
"id": "171664"
},
{
"db": "PACKETSTORM",
"id": "172284"
},
{
"db": "PACKETSTORM",
"id": "172281"
},
{
"db": "PACKETSTORM",
"id": "172265"
},
{
"db": "PACKETSTORM",
"id": "173213"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"id": "VAR-202301-0598",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2024-07-23T19:32:41.408000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "hitachi-sec-2023-143",
"trust": 0.8,
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
},
{
"title": "Apache James Repair measures for information disclosure vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=221320"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-45787 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-312",
"trust": 1.0
},
{
"problemtype": "Plaintext storage of important information (CWE-312) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-45787"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2023-0482"
},
{
"trust": 0.7,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-0482"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2022-45787"
},
{
"trust": 0.7,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2022-4492"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2022-41854"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-4492"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2022-38752"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41881"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-38752"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41854"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2022-41881"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.1925"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.1879"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3726"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-45787/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3663"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.3,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2023-1108"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1108"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1471"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41853"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-1471"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-41853"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-0341"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-0341"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-45787"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:1513"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:1512"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches\u0026product=appplatform\u0026version=7.4"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:1516"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21967"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21938"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-0361"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21939"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2710"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0361"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21930"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21937"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21968"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21967"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21938"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21930"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21954"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21939"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-21954"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21937"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.rhsso\u0026downloadtype=securitypatches\u0026version=7.6"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2713"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2705"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-26053"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1436"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-28867"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/4966181"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-26053"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-1584"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0481"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-0481"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1584"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2974"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-28867"
},
{
"trust": 0.1,
"url": "https://issues.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:3809"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-2974"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-1436"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "PACKETSTORM",
"id": "171600"
},
{
"db": "PACKETSTORM",
"id": "171593"
},
{
"db": "PACKETSTORM",
"id": "171664"
},
{
"db": "PACKETSTORM",
"id": "172284"
},
{
"db": "PACKETSTORM",
"id": "172281"
},
{
"db": "PACKETSTORM",
"id": "172265"
},
{
"db": "PACKETSTORM",
"id": "173213"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"db": "PACKETSTORM",
"id": "171600"
},
{
"db": "PACKETSTORM",
"id": "171593"
},
{
"db": "PACKETSTORM",
"id": "171664"
},
{
"db": "PACKETSTORM",
"id": "172284"
},
{
"db": "PACKETSTORM",
"id": "172281"
},
{
"db": "PACKETSTORM",
"id": "172265"
},
{
"db": "PACKETSTORM",
"id": "173213"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-06T00:00:00",
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"date": "2023-05-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"date": "2023-03-30T17:37:20",
"db": "PACKETSTORM",
"id": "171600"
},
{
"date": "2023-03-30T17:23:56",
"db": "PACKETSTORM",
"id": "171593"
},
{
"date": "2023-04-03T16:59:40",
"db": "PACKETSTORM",
"id": "171664"
},
{
"date": "2023-05-11T15:12:56",
"db": "PACKETSTORM",
"id": "172284"
},
{
"date": "2023-05-11T15:05:35",
"db": "PACKETSTORM",
"id": "172281"
},
{
"date": "2023-05-10T15:30:39",
"db": "PACKETSTORM",
"id": "172265"
},
{
"date": "2023-06-30T14:34:04",
"db": "PACKETSTORM",
"id": "173213"
},
{
"date": "2023-01-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"date": "2023-01-06T10:15:10.383000",
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-06T00:00:00",
"db": "VULMON",
"id": "CVE-2022-45787"
},
{
"date": "2023-10-04T05:41:00",
"db": "JVNDB",
"id": "JVNDB-2023-001784"
},
{
"date": "2023-06-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202301-447"
},
{
"date": "2023-11-07T03:54:49.427000",
"db": "NVD",
"id": "CVE-2022-45787"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0MIME4J\u00a0 Vulnerability in plaintext storage of important information in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001784"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202301-447"
}
],
"trust": 0.6
}
}
VAR-202202-0164
Vulnerability from variot - Updated: 2024-02-13 22:30Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used). Apache James contains a path traversal vulnerability. This vulnerability is CVE-2021-40525 This is a vulnerability caused by an incomplete fix for.Information may be obtained
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202202-0164",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:3.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"cve": "CVE-2022-22931",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2022-22931",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2022-22931",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-22931",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202202-539",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2022-22931",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used). Apache James contains a path traversal vulnerability. This vulnerability is CVE-2021-40525 This is a vulnerability caused by an incomplete fix for.Information may be obtained",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "VULMON",
"id": "CVE-2022-22931"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-22931",
"trust": 3.3
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/02/07/1",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-22931",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"id": "VAR-202202-0164",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2024-02-13T22:30:00.129000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2022-22931",
"trust": 0.8,
"url": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr"
},
{
"title": "Apache James Repair measures for path traversal vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=182160"
},
{
"title": "CVE-2022-XXXX",
"trust": 0.1,
"url": "https://github.com/alphabugx/cve-2022-23305 "
},
{
"title": "CVE-2022-XXXX",
"trust": 0.1,
"url": "https://github.com/alphabugx/cve-2022-rce "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.0
},
{
"problemtype": "Path traversal (CWE-22) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.openwall.com/lists/oss-security/2022/02/07/1"
},
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22931"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/alphabugx/cve-2022-23305"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-07T00:00:00",
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"date": "2023-05-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"date": "2022-02-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"date": "2022-02-07T19:15:08.300000",
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-15T00:00:00",
"db": "VULMON",
"id": "CVE-2022-22931"
},
{
"date": "2023-05-19T02:38:00",
"db": "JVNDB",
"id": "JVNDB-2022-005132"
},
{
"date": "2022-02-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202202-539"
},
{
"date": "2022-02-15T20:33:49.447000",
"db": "NVD",
"id": "CVE-2022-22931"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0 Past traversal vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-005132"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202202-539"
}
],
"trust": 0.6
}
}
VAR-200412-0673
Vulnerability from variot - Updated: 2023-12-18 13:58Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak. James is prone to a memory leak denial of service vulnerability. This issue occurs during an error condition in the spooler. An attacker can exploit this issue by creating multiple error conditions and eventually consume system resources. Successful exploitation will ultimately crash the application denying service to legitimate users
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200412-0673",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.2.0"
},
{
"model": "james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2"
}
],
"sources": [
{
"db": "BID",
"id": "15765"
},
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:2.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-2650"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Noel J. Bergman",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
],
"trust": 0.6
},
"cve": "CVE-2004-2650",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 6.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2004-2650",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200412-324",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the retrieve function, which prevents a lock from being released and causes a memory leak. James is prone to a memory leak denial of service vulnerability. \nThis issue occurs during an error condition in the spooler. \nAn attacker can exploit this issue by creating multiple error conditions and eventually consume system resources. \nSuccessful exploitation will ultimately crash the application denying service to legitimate users",
"sources": [
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "BID",
"id": "15765"
}
],
"trust": 1.17
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "15765",
"trust": 1.9
},
{
"db": "NVD",
"id": "CVE-2004-2650",
"trust": 1.6
},
{
"db": "NSFOCUS",
"id": "8315",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324",
"trust": 0.6
}
],
"sources": [
{
"db": "BID",
"id": "15765"
},
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"id": "VAR-200412-0673",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T13:58:38.039000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-2650"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "http://james.apache.org/changelog.html"
},
{
"trust": 1.9,
"url": "http://issues.apache.org/jira/browse/james-268"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/15765"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/8315"
},
{
"trust": 0.3,
"url": "http://james.apache.org/index.html"
}
],
"sources": [
{
"db": "BID",
"id": "15765"
},
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "15765"
},
{
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2005-12-07T00:00:00",
"db": "BID",
"id": "15765"
},
{
"date": "2004-12-31T05:00:00",
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"date": "2004-12-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2005-12-07T00:00:00",
"db": "BID",
"id": "15765"
},
{
"date": "2008-09-05T20:44:44.107000",
"db": "NVD",
"id": "CVE-2004-2650"
},
{
"date": "2006-01-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James Spooler Memory Leak Denial Of Service Vulnerability",
"sources": [
{
"db": "BID",
"id": "15765"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "15765"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-324"
}
],
"trust": 0.9
}
}
VAR-202304-0065
Vulnerability from variot - Updated: 2023-12-18 13:50Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user.
Administrators are advised to disable JMX, or set up a JMX password.
Note that version 3.7.4 onward will set up a JMX password automatically for Guice users. Apache Software Foundation of Apache James Exists in a vulnerability related to the lack of authentication.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202304-0065",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "3.7.4"
},
{
"model": "james",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": "3.7.4"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.7.4",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-26269"
}
]
},
"cve": "CVE-2023-26269",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2023-26269",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-26269",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202304-054",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user. \n\nAdministrators are advised to disable JMX, or set up a JMX password. \n\nNote that version 3.7.4 onward will set up a JMX password automatically for Guice users. Apache Software Foundation of Apache James Exists in a vulnerability related to the lack of authentication.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "VULMON",
"id": "CVE-2023-26269"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-26269",
"trust": 3.3
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2023/04/18/3",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006511",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202304-054",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2023-26269",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-26269"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"id": "VAR-202304-0065",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T13:50:34.288000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Apache James Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=232731"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-862",
"trust": 1.0
},
{
"problemtype": "Lack of authentication (CWE-862) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
},
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-26269"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2023-26269/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/862.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-26269"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2023-26269"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-04-03T00:00:00",
"db": "VULMON",
"id": "CVE-2023-26269"
},
{
"date": "2023-11-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"date": "2023-04-03T08:15:07.087000",
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"date": "2023-04-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-04-03T00:00:00",
"db": "VULMON",
"id": "CVE-2023-26269"
},
{
"date": "2023-11-15T04:52:00",
"db": "JVNDB",
"id": "JVNDB-2023-006511"
},
{
"date": "2023-04-18T03:15:07.593000",
"db": "NVD",
"id": "CVE-2023-26269"
},
{
"date": "2023-04-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0Software\u00a0Foundation\u00a0 of \u00a0Apache\u00a0James\u00a0 Vulnerability regarding lack of authentication in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-006511"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202304-054"
}
],
"trust": 0.6
}
}
VAR-200606-0421
Vulnerability from variot - Updated: 2023-12-18 13:49The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a long argument to the MAIL command. Apache James is prone to a remote denial-of-service vulnerability. This issue is due to the application's failure to efficiently handle malformed SMTP commands. This issue allows remote attackers to consume excessive CPU resources of affected computers, potentially denying service to legitimate users. Apache James version 2.2.0 is vulnerable to this issue; other versions may also be affected
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200606-0421",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.2.0"
},
{
"model": "software foundation james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2"
}
],
"sources": [
{
"db": "BID",
"id": "18138"
},
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:2.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2006-2806"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ahmad Muammar W.K y3dips@echo.or.id",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
],
"trust": 0.6
},
"cve": "CVE-2006-2806",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2006-2806",
"impactScore": 6.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2006-2806",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200606-102",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2006-2806",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a long argument to the MAIL command. Apache James is prone to a remote denial-of-service vulnerability. This issue is due to the application\u0027s failure to efficiently handle malformed SMTP commands. \nThis issue allows remote attackers to consume excessive CPU resources of affected computers, potentially denying service to legitimate users. \nApache James version 2.2.0 is vulnerable to this issue; other versions may also be affected",
"sources": [
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "BID",
"id": "18138"
},
{
"db": "VULMON",
"id": "CVE-2006-2806"
}
],
"trust": 1.26
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "18138",
"trust": 2.0
},
{
"db": "NVD",
"id": "CVE-2006-2806",
"trust": 2.0
},
{
"db": "SREASON",
"id": "1038",
"trust": 1.7
},
{
"db": "BUGTRAQ",
"id": "20060528 JAMES 2.2.0",
"trust": 0.6
},
{
"db": "XF",
"id": "26786",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2006-2806",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"db": "BID",
"id": "18138"
},
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"id": "VAR-200606-0421",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T13:49:51.773000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2006-2806"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "http://www.securityfocus.com/bid/18138"
},
{
"trust": 1.7,
"url": "http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt"
},
{
"trust": 1.7,
"url": "http://securityreason.com/securityalert/1038"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/435278/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26786"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/435278/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/26786"
},
{
"trust": 0.3,
"url": "http://james.apache.org/index.html"
},
{
"trust": 0.3,
"url": "/archive/1/435278"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"db": "BID",
"id": "18138"
},
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"db": "BID",
"id": "18138"
},
{
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2006-06-05T00:00:00",
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"date": "2006-05-29T00:00:00",
"db": "BID",
"id": "18138"
},
{
"date": "2006-06-05T17:02:00",
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"date": "2006-05-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-18T00:00:00",
"db": "VULMON",
"id": "CVE-2006-2806"
},
{
"date": "2016-02-02T20:01:00",
"db": "BID",
"id": "18138"
},
{
"date": "2018-10-18T16:43:02.870000",
"db": "NVD",
"id": "CVE-2006-2806"
},
{
"date": "2006-06-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James SMTP Remotely Extra long data Denial of service vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "18138"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-102"
}
],
"trust": 0.9
}
}
VAR-201710-0923
Vulnerability from variot - Updated: 2023-12-18 12:57The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library. Apache James Server Contains a vulnerability in the deserialization of unreliable data.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apache James is prone to an arbitrary command-execution vulnerability. This may aid in further attacks. Apache James versions prior to 3.0.1 are affected
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201710-0923",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james server",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "3.0.0"
},
{
"model": "james server",
"scope": "lt",
"trust": 0.8,
"vendor": "apache",
"version": "3.0.1"
},
{
"model": "james server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "3.0.0"
},
{
"model": "james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "3.0"
},
{
"model": "james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2"
},
{
"model": "james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "1.8.2"
},
{
"model": "james",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "1.8.1"
},
{
"model": "james",
"scope": "ne",
"trust": 0.3,
"vendor": "apache",
"version": "3.0.1"
}
],
"sources": [
{
"db": "BID",
"id": "101532"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-12628"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Benoit Tellier.",
"sources": [
{
"db": "BID",
"id": "101532"
}
],
"trust": 0.3
},
"cve": "CVE-2017-12628",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 7.2,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2017-12628",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2017-12628",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-12628",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201710-999",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2017-12628",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library. Apache James Server Contains a vulnerability in the deserialization of unreliable data.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apache James is prone to an arbitrary command-execution vulnerability. This may aid in further attacks. \nApache James versions prior to 3.0.1 are affected",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "BID",
"id": "101532"
},
{
"db": "VULMON",
"id": "CVE-2017-12628"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-12628",
"trust": 2.8
},
{
"db": "BID",
"id": "101532",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509",
"trust": 0.8
},
{
"db": "NSFOCUS",
"id": "37865",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2017-12628",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"db": "BID",
"id": "101532"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"id": "VAR-201710-0923",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T12:57:11.713000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Announce: Apache James 3.0.1 security release",
"trust": 0.8,
"url": "https://www.mail-archive.com/server-user@james.apache.org/msg15633.html"
},
{
"title": "Apache James JMX Server security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=75891"
},
{
"title": "Java-Deserialization-Cheat-Sheet",
"trust": 0.1,
"url": "https://github.com/klausware/java-deserialization-cheat-sheet "
},
{
"title": "Java-Deserialization-Cheat-Sheet",
"trust": 0.1,
"url": "https://github.com/grrrdog/java-deserialization-cheat-sheet "
},
{
"title": "Java-Deserialization-CVEs",
"trust": 0.1,
"url": "https://github.com/palindromelabs/java-deserialization-cves "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-502",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.2,
"url": "http://www.securityfocus.com/bid/101532"
},
{
"trust": 1.1,
"url": "https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html"
},
{
"trust": 0.9,
"url": "https://www.mail-archive.com/server-user@james.apache.org/msg15633.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12628"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-12628"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/37865"
},
{
"trust": 0.3,
"url": "http://httpd.apache.org/"
},
{
"trust": 0.3,
"url": "http://seclists.org/oss-sec/2017/q4/109"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/502.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/klausware/java-deserialization-cheat-sheet"
},
{
"trust": 0.1,
"url": "https://github.com/grrrdog/java-deserialization-cheat-sheet"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"db": "BID",
"id": "101532"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"db": "BID",
"id": "101532"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-10-20T00:00:00",
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"date": "2017-10-20T00:00:00",
"db": "BID",
"id": "101532"
},
{
"date": "2017-11-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"date": "2017-10-20T15:29:00.283000",
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"date": "2017-10-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2017-12628"
},
{
"date": "2017-10-20T00:00:00",
"db": "BID",
"id": "101532"
},
{
"date": "2017-11-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-009509"
},
{
"date": "2023-11-07T02:38:27.070000",
"db": "NVD",
"id": "CVE-2017-12628"
},
{
"date": "2017-11-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James Server Vulnerable to unreliable data deserialization",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-009509"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201710-999"
}
],
"trust": 0.6
}
}
VAR-202201-0221
Vulnerability from variot - Updated: 2023-12-18 12:55Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information. Apache James Exists in the use of cryptographic algorithms.Information may be obtained. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0221",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.4,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.6.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-38542"
}
]
},
"cve": "CVE-2021-38542",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2021-38542",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 4.9,
"id": "CNVD-2022-01767",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.9,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-38542",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-38542",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2022-01767",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-086",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-38542",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information. Apache James Exists in the use of cryptographic algorithms.Information may be obtained. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-38542",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/04/1",
"trust": 3.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/09/20/1",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-01767",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010404",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-38542",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"id": "VAR-202201-0221",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
}
],
"trust": 0.8536231999999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
}
]
},
"last_update_date": "2023-12-18T12:55:16.247000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://www.apache.org/"
},
{
"title": "Patch for Apache James Command Injection Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/312706"
},
{
"title": "Apache James Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=176872"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2021-38542 "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-28220 "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-327",
"trust": 1.0
},
{
"problemtype": "Use of incomplete or dangerous cryptographic algorithms (CWE-327) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.8,
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/1"
},
{
"trust": 2.5,
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-38542"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010404"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/327.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2021-38542"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"date": "2023-01-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"date": "2022-01-04T09:15:07.267000",
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"date": "2022-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01767"
},
{
"date": "2022-10-27T00:00:00",
"db": "VULMON",
"id": "CVE-2021-38542"
},
{
"date": "2023-01-24T07:31:00",
"db": "JVNDB",
"id": "JVNDB-2021-017533"
},
{
"date": "2022-10-27T11:39:19.073000",
"db": "NVD",
"id": "CVE-2021-38542"
},
{
"date": "2022-10-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0 Vulnerability in using cryptographic algorithms in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-017533"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "encryption problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-086"
}
],
"trust": 0.6
}
}
VAR-202201-0205
Vulnerability from variot - Updated: 2023-12-18 12:55In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Apache James Exists in an infinite loop vulnerability.Service operation interruption (DoS) It may be in a state. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0205",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.4,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.6.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40111"
}
]
},
"cve": "CVE-2021-40111",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-40111",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.0,
"id": "CNVD-2022-01769",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-40111",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-40111",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2022-01769",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-087",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Apache James Exists in an infinite loop vulnerability.Service operation interruption (DoS) It may be in a state. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "VULMON",
"id": "CVE-2021-40111"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-40111",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/04/3",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-01769",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010404",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-40111",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "VULMON",
"id": "CVE-2021-40111"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"id": "VAR-202201-0205",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
}
],
"trust": 0.8536231999999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
}
]
},
"last_update_date": "2023-12-18T12:55:16.168000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://www.apache.org/"
},
{
"title": "Patch for Apache James Denial of Service Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/312711"
},
{
"title": "Apache James Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=176873"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-835",
"trust": 1.0
},
{
"problemtype": "infinite loop (CWE-835) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.8,
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/3"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-40111"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010404"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "VULMON",
"id": "CVE-2021-40111"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"db": "VULMON",
"id": "CVE-2021-40111"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40111"
},
{
"date": "2023-01-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"date": "2022-01-04T09:15:07.377000",
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"date": "2022-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01769"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40111"
},
{
"date": "2023-01-24T07:22:00",
"db": "JVNDB",
"id": "JVNDB-2022-002894"
},
{
"date": "2022-01-12T20:06:25.853000",
"db": "NVD",
"id": "CVE-2021-40111"
},
{
"date": "2022-01-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0 Infinite loop vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-002894"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-087"
}
],
"trust": 0.6
}
}
VAR-202201-0203
Vulnerability from variot - Updated: 2023-12-18 12:55Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted. Apache James Exists in a past traversal vulnerability.Information may be obtained and information may be tampered with. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation. An attacker could exploit this vulnerability to perform a path traversal attack to read and write any file
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0203",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "3.6.2"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "3.6.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.6.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40525"
}
]
},
"cve": "CVE-2021-40525",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.4,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2021-40525",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CNVD-2022-01768",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-40525",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-40525",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2022-01768",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-085",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted. Apache James Exists in a past traversal vulnerability.Information may be obtained and information may be tampered with. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation. An attacker could exploit this vulnerability to perform a path traversal attack to read and write any file",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "VULMON",
"id": "CVE-2021-40525"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-40525",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/04/4",
"trust": 3.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/02/07/1",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-01768",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010404",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-40525",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "VULMON",
"id": "CVE-2021-40525"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"id": "VAR-202201-0203",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
}
],
"trust": 0.8536231999999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
}
]
},
"last_update_date": "2023-12-18T12:55:16.115000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://www.apache.org/"
},
{
"title": "Patch for Apache James Path Traversal Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/312701"
},
{
"title": "Apache James Repair measures for path traversal vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=176871"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.0
},
{
"problemtype": "Path traversal (CWE-22) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.8,
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/4"
},
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/02/07/1"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-40525"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010404"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "VULMON",
"id": "CVE-2021-40525"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "VULMON",
"id": "CVE-2021-40525"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40525"
},
{
"date": "2023-01-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"date": "2022-01-04T09:15:07.423000",
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"date": "2022-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40525"
},
{
"date": "2023-01-24T07:17:00",
"db": "JVNDB",
"id": "JVNDB-2022-002893"
},
{
"date": "2022-03-29T16:34:56.937000",
"db": "NVD",
"id": "CVE-2021-40525"
},
{
"date": "2022-02-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James Path Traversal Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-01768"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-085"
}
],
"trust": 0.6
}
}
VAR-202201-0206
Vulnerability from variot - Updated: 2023-12-18 12:55In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking. Apache James Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0206",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "lt",
"trust": 1.6,
"vendor": "apache",
"version": "3.6.1"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": "3.6.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.6.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40110"
}
]
},
"cve": "CVE-2021-40110",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-40110",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.0,
"id": "CNVD-2022-02755",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-40110",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-40110",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2022-02755",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-084",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking. Apache James Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "VULMON",
"id": "CVE-2021-40110"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-40110",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/04/2",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-02755",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010404",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-40110",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "VULMON",
"id": "CVE-2021-40110"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"id": "VAR-202201-0206",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
}
],
"trust": 0.8536231999999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
}
]
},
"last_update_date": "2023-12-18T12:55:16.195000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://www.apache.org/"
},
{
"title": "Patch for Apache James Denial of Service Vulnerability (CNVD-2022-02755)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/313136"
},
{
"title": "Apache James Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=176870"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "others (CWE-Other) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.8,
"url": "http://www.openwall.com/lists/oss-security/2022/01/04/2"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-40110"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010404"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "VULMON",
"id": "CVE-2021-40110"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"db": "VULMON",
"id": "CVE-2021-40110"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40110"
},
{
"date": "2023-01-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"date": "2022-01-04T09:15:07.327000",
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"date": "2022-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-02755"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40110"
},
{
"date": "2023-01-24T07:25:00",
"db": "JVNDB",
"id": "JVNDB-2021-017532"
},
{
"date": "2022-01-12T19:54:54.953000",
"db": "NVD",
"id": "CVE-2021-40110"
},
{
"date": "2022-01-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0 Vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-017532"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-084"
}
],
"trust": 0.6
}
}
VAR-202209-0423
Vulnerability from variot - Updated: 2023-12-18 12:55Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests. Apache Software Foundation of Apache James Contains a command injection vulnerability.Service operation interruption (DoS) It may be in a state
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202209-0423",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "eq",
"trust": 1.8,
"vendor": "apache",
"version": "3.7.0"
},
{
"model": "james",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "3.6.2"
},
{
"model": "james",
"scope": "lte",
"trust": 0.8,
"vendor": "apache",
"version": "3.6.2 and earlier"
},
{
"model": "james",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:3.7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.6.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-28220"
}
]
},
"cve": "CVE-2022-28220",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2022-28220",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-28220",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202209-494",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests. Apache Software Foundation of Apache James Contains a command injection vulnerability.Service operation interruption (DoS) It may be in a state",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "VULMON",
"id": "CVE-2022-28220"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-28220",
"trust": 3.3
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/09/20/1",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016664",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202209-494",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-28220",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-28220"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"id": "VAR-202209-0423",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T12:55:16.223000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Apache James Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=207502"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-77",
"trust": 1.0
},
{
"problemtype": "Command injection (CWE-77) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
},
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28220"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-28220/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-28220"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-28220"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-09-08T00:00:00",
"db": "VULMON",
"id": "CVE-2022-28220"
},
{
"date": "2023-10-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"date": "2022-09-08T08:15:07.813000",
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"date": "2022-09-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-09-08T00:00:00",
"db": "VULMON",
"id": "CVE-2022-28220"
},
{
"date": "2023-10-05T08:34:00",
"db": "JVNDB",
"id": "JVNDB-2022-016664"
},
{
"date": "2022-09-30T19:16:02.960000",
"db": "NVD",
"id": "CVE-2022-28220"
},
{
"date": "2022-09-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0Software\u00a0Foundation\u00a0 of \u00a0Apache\u00a0James\u00a0 Command injection vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016664"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "command injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-494"
}
],
"trust": 0.6
}
}
VAR-202301-0613
Vulnerability from variot - Updated: 2023-12-18 12:25Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.
Vulnerable components includes the SMTP stack and IMAP APPEND command.
This issue affects Apache James server version 3.7.2 and prior versions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202301-0613",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "james",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "3.7.2"
},
{
"model": "james",
"scope": "lte",
"trust": 0.8,
"vendor": "apache",
"version": "3.7.2 and earlier"
},
{
"model": "james",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.7.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-45935"
}
]
},
"cve": "CVE-2022-45935",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-45935",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-45935",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202301-445",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command. \n\nThis issue affects Apache James server version 3.7.2 and prior versions",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "VULMON",
"id": "CVE-2022-45935"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-45935",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-45935",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"id": "VAR-202301-0613",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T12:25:37.219000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Temporary\u00a0File\u00a0Information\u00a0Disclosure",
"trust": 0.8,
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
},
{
"title": "Apache James Repair measures for information disclosure vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=220229"
},
{
"title": "Red Hat: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=cve-2022-45935"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-45935 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-668",
"trust": 1.0
},
{
"problemtype": "Sending important information in clear text (CWE-319) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-45935"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2022-45935"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-45935/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-45935"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-06T00:00:00",
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"date": "2023-05-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"date": "2023-01-06T10:15:10.447000",
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"date": "2023-01-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-06T00:00:00",
"db": "VULMON",
"id": "CVE-2022-45935"
},
{
"date": "2023-05-11T02:36:00",
"db": "JVNDB",
"id": "JVNDB-2023-001783"
},
{
"date": "2023-07-12T11:15:09.623000",
"db": "NVD",
"id": "CVE-2022-45935"
},
{
"date": "2023-07-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0James\u00a0 Vulnerability related to transmission of important information in plaintext in server",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-001783"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202301-445"
}
],
"trust": 0.6
}
}
VAR-201904-1550
Vulnerability from variot - Updated: 2023-12-18 11:06Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. Apache PDFBox Is XML An external entity vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Attackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition. This may lead to further attacks. Apache PDFBox 2.0.14 is vulnerable
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201904-1550",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "pdfbox",
"scope": "eq",
"trust": 2.1,
"vendor": "apache",
"version": "2.0.14"
},
{
"model": "communications session report manager",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0.0"
},
{
"model": "banking trade finance process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.3"
},
{
"model": "webcenter sites",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "banking corporate lending process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.5"
},
{
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.0"
},
{
"model": "james",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "3.3.0"
},
{
"model": "banking virtual account management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.3.0"
},
{
"model": "james",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "3.4.0"
},
{
"model": "banking credit facilities process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.2"
},
{
"model": "banking trade finance process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.2"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.59"
},
{
"model": "banking supply chain finance",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.3"
},
{
"model": "banking virtual account management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.2"
},
{
"model": "hyperion financial reporting",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.1.2.4"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "30"
},
{
"model": "banking trade finance process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.5"
},
{
"model": "banking credit facilities process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.5"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "29"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.58"
},
{
"model": "banking virtual account management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.5"
},
{
"model": "banking corporate lending process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.3"
},
{
"model": "banking supply chain finance",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.2"
},
{
"model": "hyperion financial reporting",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.2.6.0"
},
{
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18.0.3"
},
{
"model": "webcenter sites",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "communications messaging server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.1"
},
{
"model": "banking supply chain finance",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.5"
},
{
"model": "banking corporate lending process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.2"
},
{
"model": "communications session report manager",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.4.0"
},
{
"model": "banking credit facilities process management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.3"
},
{
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.0.6"
},
{
"model": "jboss fuse service works",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "jboss fuse",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "jboss fuse",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "pdfbox",
"scope": "ne",
"trust": 0.3,
"vendor": "apache",
"version": "2.0.15"
}
],
"sources": [
{
"db": "BID",
"id": "107904"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:pdfbox:2.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:james:3.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:james:3.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_virtual_account_management:14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:banking_virtual_account_management:14.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "8.2.4.0",
"versionStartIncluding": "8.0.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-0228"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kurt Boberg of DocuSign.",
"sources": [
{
"db": "BID",
"id": "107904"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
],
"trust": 0.9
},
"cve": "CVE-2019-0228",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2019-0228",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-0228",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-0228",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201904-638",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2019-0228",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. Apache PDFBox Is XML An external entity vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. \nAttackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition. This may lead to further attacks. \nApache PDFBox 2.0.14 is vulnerable",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "BID",
"id": "107904"
},
{
"db": "VULMON",
"id": "CVE-2019-0228"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-0228",
"trust": 2.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2019/04/12/1",
"trust": 0.9
},
{
"db": "BID",
"id": "107904",
"trust": 0.9
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486",
"trust": 0.8
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021072725",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021042320",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021042642",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.1293",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2019-0228",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"db": "BID",
"id": "107904"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"id": "VAR-201904-1550",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2536232
},
"last_update_date": "2023-12-18T11:06:43.194000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "[SECURITY] CVE-2019-0228 Apache PDFBox XML External Entity vulnerability",
"trust": 0.8,
"url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3cusers.pdfbox.apache.org%3e"
},
{
"title": "Apache PDFBox Fixes for code issue vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=91438"
},
{
"title": "SkillSearchEngine",
"trust": 0.1,
"url": "https://github.com/bluesnbrews/skillsearchengine "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/cgcl-codes/phunter "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-611",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
},
{
"trust": 1.7,
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"trust": 1.7,
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"trust": 1.7,
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0228"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd%40%3cserver-dev.james.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4%40%3ccommits.tika.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c%40%3ccommits.tika.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/popoghj5cvmuvcrqu7apban5ivzgzfdx/"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6hkvptjwzgub4mh4aaowmrjhrdbyfhgj/"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2%40%3cserver-dev.james.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d%40%3cusers.pdfbox.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79%40%3cusers.pdfbox.apache.org%3e"
},
{
"trust": 0.9,
"url": "https://pdfbox.apache.org/"
},
{
"trust": 0.9,
"url": "https://issues.apache.org/jira/browse/pdfbox-4505"
},
{
"trust": 0.9,
"url": "https://github.com/apache/pdfbox/blob/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/fdf/fdfannotationstamp.java#l144-l164"
},
{
"trust": 0.9,
"url": "https://github.com/apache/pdfbox/releases"
},
{
"trust": 0.9,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1699740"
},
{
"trust": 0.9,
"url": "https://www.openwall.com/lists/oss-security/2019/04/12/1"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/cve/cve-2019-0228"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-0228"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c@%3ccommits.tika.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3cusers.pdfbox.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/popoghj5cvmuvcrqu7apban5ivzgzfdx/"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6hkvptjwzgub4mh4aaowmrjhrdbyfhgj/"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d@%3cusers.pdfbox.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4@%3ccommits.tika.apache.org%3e"
},
{
"trust": 0.6,
"url": "httpd.apache.org/"
},
{
"trust": 0.6,
"url": "http://"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2@%3cserver-dev.james.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd@%3cserver-dev.james.apache.org%3e"
},
{
"trust": 0.6,
"url": "http://mail-archives.apache.org/mod"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/apache-pdfbox-external-xml-entity-injection-30277"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-pdfbox-affect-apache-solr-shipped-with-ibm-operations-analytics-log-analysis-cve-2019-0228/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021072725"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021042642"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-security-vulnerabilities/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-pdfbox-affects-ibm-control-center-cve-2019-0228/"
},
{
"trust": 0.6,
"url": "https://www.oracle.com/security-alerts/cpujul2021.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021042320"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/79094"
},
{
"trust": 0.6,
"url": "https://www.securityfocus.com/bid/107904"
},
{
"trust": 0.3,
"url": "http://httpd.apache.org/"
},
{
"trust": 0.3,
"url": "https://github.com/apache/pdfbox"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/611.html"
},
{
"trust": 0.1,
"url": "https://tools.cisco.com/security/center/viewalert.x?alertid=60042"
},
{
"trust": 0.1,
"url": "https://github.com/bluesnbrews/skillsearchengine"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"db": "BID",
"id": "107904"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"db": "BID",
"id": "107904"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-17T00:00:00",
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"date": "2019-04-15T00:00:00",
"db": "BID",
"id": "107904"
},
{
"date": "2019-05-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"date": "2019-04-17T15:29:00.703000",
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2019-04-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2019-0228"
},
{
"date": "2019-04-15T00:00:00",
"db": "BID",
"id": "107904"
},
{
"date": "2019-05-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003486"
},
{
"date": "2023-11-07T03:01:52.850000",
"db": "NVD",
"id": "CVE-2019-0228"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-10-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-638"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache PDFBox In XML External entity vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-003486"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
}
],
"trust": 0.6
}
}
FKIE_CVE-2023-51747
Vulnerability from fkie_nvd - Published: 2024-02-27 14:15 - Updated: 2025-05-05 21:02
Severity ?
Summary
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.
A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.
The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.
We recommend James users to upgrade to non vulnerable versions.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:3.7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "40A5D89F-8F58-45CD-8AC6-9A6DCA6DEBF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:james:3.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A6759186-CA76-4B74-8C89-6AB659477F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.\n\nA lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.\n\nThe patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.\n\nWe recommend James users to upgrade to non vulnerable versions."
},
{
"lang": "es",
"value": "Apache James anterior a las versiones 3.8.1 y 3.7.5 es vulnerable al contrabando SMTP. Un comportamiento indulgente en el manejo del delimitador de l\u00ednea podr\u00eda crear una diferencia de interpretaci\u00f3n entre el remitente y el receptor que un atacante puede aprovechar para falsificar un sobre SMTP, permitiendo, por ejemplo, eludir las comprobaciones SPF. El parche implica la aplicaci\u00f3n de CRLF como delimitador de l\u00ednea como parte de la transacci\u00f3n de DATOS. Recomendamos a los usuarios de James que actualicen a versiones no vulnerables."
}
],
"id": "CVE-2023-51747",
"lastModified": "2025-05-05T21:02:14.223",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-27T14:15:27.030",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/27/4"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://postfix.org/smtp-smuggling.html"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/27/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://postfix.org/smtp-smuggling.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-290"
},
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-51518
Vulnerability from fkie_nvd - Published: 2024-02-27 09:15 - Updated: 2025-05-05 21:01
Severity ?
Summary
Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.
Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.
Note that by default JMX endpoint is only bound locally.
We recommend users to:
- Upgrade to a non-vulnerable Apache James version
- Run Apache James isolated from other processes (docker - dedicated virtual machine)
- If possible turn off JMX
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or | Vendor Advisory, Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or | Vendor Advisory, Mailing List |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:3.7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "40A5D89F-8F58-45CD-8AC6-9A6DCA6DEBF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:james:3.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "30D1AC70-87D6-4FA1-A995-14AB73002CD3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.\nGiven a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.\nNote that by default JMX endpoint is only bound locally.\n\nWe recommend users to:\n\u00a0- Upgrade to a non-vulnerable Apache James version\n\n\u00a0- Run Apache James isolated from other processes (docker - dedicated virtual machine)\n\u00a0- If possible turn off JMX\n\n"
},
{
"lang": "es",
"value": "Apache James anterior a las versiones 3.7.5 y 3.8.0 expone un endpoint JMX en localhost sujeto a deserializaci\u00f3n previa a la autenticaci\u00f3n de datos que no son de confianza. Dado un dispositivo de deserializaci\u00f3n, esto podr\u00eda aprovecharse como parte de una cadena de explotaci\u00f3n que podr\u00eda resultar en una escalada de privilegios. Tenga en cuenta que, de forma predeterminada, el endpoint JMX solo est\u00e1 vinculado localmente. Recomendamos a los usuarios: - Actualizar a una versi\u00f3n de Apache James no vulnerable - Ejecutar Apache James aislado de otros procesos (docker - m\u00e1quina virtual dedicada) - Si es posible, desactive JMX"
}
],
"id": "CVE-2023-51518",
"lastModified": "2025-05-05T21:01:52.963",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-27T09:15:36.983",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory",
"Mailing List"
],
"url": "https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory",
"Mailing List"
],
"url": "https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2023-26269
Vulnerability from fkie_nvd - Published: 2023-04-03 08:15 - Updated: 2025-02-13 17:16
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a
malicious local user.
Administrators are advised to disable JMX, or set up a JMX password.
Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFB7B7EE-9A46-4E20-AF69-D74FB48C5C60",
"versionEndExcluding": "3.7.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user.\n\nAdministrators are advised to disable JMX, or set up a JMX password.\n\nNote that version 3.7.4 onward will set up a JMX password automatically for Guice users."
}
],
"id": "CVE-2023-26269",
"lastModified": "2025-02-13T17:16:11.863",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-04-03T08:15:07.087",
"references": [
{
"source": "security@apache.org",
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2022-45935
Vulnerability from fkie_nvd - Published: 2023-01-06 10:15 - Updated: 2025-04-10 14:15
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.
Vulnerable components includes the SMTP stack and IMAP APPEND command.
This issue affects Apache James server version 3.7.2 and prior versions.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0C5B5CE-7844-48F0-A791-3823B74B4F1A",
"versionEndIncluding": "3.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."
},
{
"lang": "es",
"value": "El uso de archivos temporales con permisos inseguros por parte del servidor Apache James permite a un atacante con acceso local acceder a datos privados del usuario en tr\u00e1nsito. Los componentes vulnerables incluyen la pila SMTP y el comando IMAP APPEND. Este problema afecta al servidor Apache James versi\u00f3n 3.7.2 y versiones anteriores."
}
],
"id": "CVE-2022-45935",
"lastModified": "2025-04-10T14:15:24.033",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-01-06T10:15:10.447",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-45787
Vulnerability from fkie_nvd - Published: 2023-01-06 10:15 - Updated: 2025-04-09 20:15
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.
We recommend users to upgrade to MIME4j version 0.8.9 or later.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:mime4j:*:*:*",
"matchCriteriaId": "36FAB00E-6832-4BBB-BE8D-22E47940C57F",
"versionEndExcluding": "0.8.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.\n\nWe recommend users to upgrade to MIME4j version 0.8.9 or later.\n"
},
{
"lang": "es",
"value": "Los permisos laxos inadecuados en los archivos temporales utilizados por MIME4J TempFileStorageProvider pueden provocar la divulgaci\u00f3n de informaci\u00f3n a otros usuarios locales. Este problema afecta a Apache James MIME4J versi\u00f3n 0.8.8 y versiones anteriores. Recomendamos a los usuarios que actualicen a MIME4j versi\u00f3n 0.8.9 o posterior."
}
],
"id": "CVE-2022-45787",
"lastModified": "2025-04-09T20:15:22.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-01-06T10:15:10.383",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-28220
Vulnerability from fkie_nvd - Published: 2022-09-08 08:15 - Updated: 2024-11-21 06:56
Severity ?
Summary
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/09/20/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://james.apache.org/james/update/2022/08/26/james-3.7.1.html | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/09/20/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://james.apache.org/james/update/2022/08/26/james-3.7.1.html | Patch, Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
"matchCriteriaId": "423D85DB-E258-4B34-B941-99C4458273E6",
"versionEndIncluding": "3.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:james:3.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7D32CBE3-3A1D-4D8F-8C91-E127FAB55BFF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests."
},
{
"lang": "es",
"value": "Apache James versiones anteriores a 3.6.3 y 3.7.1, es vulnerable a un ataque de almacenamiento en b\u00fafer que depende del uso del comando STARTTLS.\u0026#xa0;La correcci\u00f3n de CVE-2021-38542, que resolvi\u00f3 un problema similar de Apache James versi\u00f3n 3.6.1, est\u00e1 sujeta a un diferencial de analizador y no toma en cuenta las peticiones simult\u00e1neas"
}
],
"id": "CVE-2022-28220",
"lastModified": "2024-11-21T06:56:58.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-08T08:15:07.813",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-51747 (GCVE-0-2023-51747)
Vulnerability from cvelistv5 – Published: 2024-02-27 13:08 – Updated: 2025-02-13 17:19
VLAI?
Summary
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.
A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.
The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.
We recommend James users to upgrade to non vulnerable versions.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
0 , ≤ 3.7.4
(semver)
Affected: 3.8 , ≤ 3.8.0 (semver) |
Credits
Benoit TELLIER
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T20:37:43.302258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T19:08:00.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:11.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"related",
"x_transferred"
],
"url": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://postfix.org/smtp-smuggling.html"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/27/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.8.0",
"status": "affected",
"version": "3.8",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "Benoit TELLIER"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.\u003cbr\u003e\u003cbr\u003eA lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.\u003cbr\u003e\u003cbr\u003eThe patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.\u003cbr\u003e\u003cbr\u003eWe recommend James users to upgrade to non vulnerable versions.\u003cbr\u003e"
}
],
"value": "Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.\n\nA lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.\n\nThe patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.\n\nWe recommend James users to upgrade to non vulnerable versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T13:10:07.890Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"related"
],
"url": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/"
},
{
"tags": [
"related"
],
"url": "https://postfix.org/smtp-smuggling.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/27/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SMTP smuggling in Apache James",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51747",
"datePublished": "2024-02-27T13:08:01.807Z",
"dateReserved": "2023-12-22T16:12:33.074Z",
"dateUpdated": "2025-02-13T17:19:50.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51518 (GCVE-0-2023-51518)
Vulnerability from cvelistv5 – Published: 2024-02-27 09:09 – Updated: 2024-08-22 20:42
VLAI?
Summary
Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.
Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.
Note that by default JMX endpoint is only bound locally.
We recommend users to:
- Upgrade to a non-vulnerable Apache James version
- Run Apache James isolated from other processes (docker - dedicated virtual machine)
- If possible turn off JMX
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
0 , ≤ 3.7.4
(semver)
Affected: 3.8 , ≤ 3.8.0 (custom) |
Credits
Mal Aware
Arnout Engelen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:32:10.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "james_server",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "3.7.4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "affected",
"version": "3.8"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T20:42:32.574252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T20:42:38.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.8.0",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mal Aware"
},
{
"lang": "en",
"type": "analyst",
"value": "Arnout Engelen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.\u003cbr\u003eGiven a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.\u003cbr\u003e\u003cdiv\u003eNote that by default JMX endpoint is only bound locally.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eWe recommend users to:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp;- Upgrade to a non-vulnerable Apache James version\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;- Run Apache James isolated from other processes (docker - dedicated virtual machine)\u003cbr\u003e\u0026nbsp;- If possible turn off JMX\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.\nGiven a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.\nNote that by default JMX endpoint is only bound locally.\n\nWe recommend users to:\n\u00a0- Upgrade to a non-vulnerable Apache James version\n\n\u00a0- Run Apache James isolated from other processes (docker - dedicated virtual machine)\n\u00a0- If possible turn off JMX\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T09:09:31.579Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache James server: Privilege escalation via JMX pre-authentication deserialisation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51518",
"datePublished": "2024-02-27T09:09:31.579Z",
"dateReserved": "2023-12-20T16:14:49.938Z",
"dateUpdated": "2024-08-22T20:42:38.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26269 (GCVE-0-2023-26269)
Vulnerability from cvelistv5 – Published: 2023-04-03 07:59 – Updated: 2025-02-13 16:44
VLAI?
Summary
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a
malicious local user.
Administrators are advised to disable JMX, or set up a JMX password.
Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
0 , ≤ 3.7.3
(semver)
|
Credits
Matei "Mal" Badanoiu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:24.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "james_server",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "3.7.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-26269",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:09:13.520369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:10:14.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Matei \"Mal\" Badanoiu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eApache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user.\u003c/div\u003e\u003cdiv\u003eAdministrators are advised to disable JMX, or set up a JMX password.\u003c/div\u003e\u003cdiv\u003eNote that version 3.7.4 onward will set up a JMX password automatically for Guice users.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user.\n\nAdministrators are advised to disable JMX, or set up a JMX password.\n\nNote that version 3.7.4 onward will set up a JMX password automatically for Guice users."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-18T02:06:14.335Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache James server: Privilege escalation through unauthenticated JMX",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-26269",
"datePublished": "2023-04-03T07:59:13.228Z",
"dateReserved": "2023-02-21T08:48:22.411Z",
"dateUpdated": "2025-02-13T16:44:53.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45935 (GCVE-0-2022-45935)
Vulnerability from cvelistv5 – Published: 2023-01-06 09:33 – Updated: 2025-04-10 13:35
VLAI?
Summary
Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.
Vulnerable components includes the SMTP stack and IMAP APPEND command.
This issue affects Apache James server version 3.7.2 and prior versions.
Severity ?
No CVSS data available.
CWE
- CWE-668 - Exposure of Resource to Wrong Sphere
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
0 , ≤ 3.7.2
(semver)
|
Credits
Benoit Tellier
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T13:35:27.107323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T13:35:31.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Benoit Tellier"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \u003cbr\u003e\u003cbr\u003eVulnerable components includes the SMTP stack and IMAP APPEND command.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache James server version 3.7.2 and prior versions."
}
],
"value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668 Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T10:18:19.197Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache James server: Temporary File Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45935",
"datePublished": "2023-01-06T09:33:30.150Z",
"dateReserved": "2022-11-27T08:53:19.892Z",
"dateUpdated": "2025-04-10T13:35:31.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45787 (GCVE-0-2022-45787)
Vulnerability from cvelistv5 – Published: 2023-01-06 09:31 – Updated: 2025-04-09 19:32
VLAI?
Summary
Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.
We recommend users to upgrade to MIME4j version 0.8.9 or later.
Severity ?
No CVSS data available.
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache James MIME4J |
Affected:
0 , ≤ 0.8.8
(custom)
|
Credits
Jonathan Leitschuh
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:04.186Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45787",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T19:31:06.959423Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T19:32:09.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James MIME4J",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.8.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonathan Leitschuh"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.\u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade to MIME4j version 0.8.9 or later.\u003cbr\u003e"
}
],
"value": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.\n\nWe recommend users to upgrade to MIME4j version 0.8.9 or later.\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-16T10:27:24.515Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache James MIME4J: Temporary File Information Disclosure in MIME4J TempFileStorageProvider",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45787",
"datePublished": "2023-01-06T09:31:40.118Z",
"dateReserved": "2022-11-22T08:49:26.227Z",
"dateUpdated": "2025-04-09T19:32:09.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28220 (GCVE-0-2022-28220)
Vulnerability from cvelistv5 – Published: 2022-09-08 07:40 – Updated: 2024-08-03 05:48
VLAI?
Summary
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.
Severity ?
No CVSS data available.
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache James |
Affected:
Apache James , ≤ 3.6.2
(custom)
|
Credits
Apache James PMC would like to thanks Benoit TELLIER for this report, and Fabian Ising for his support.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:48:37.476Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
},
{
"name": "[oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache James",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.6.2",
"status": "affected",
"version": "Apache James",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache James PMC would like to thanks Benoit TELLIER for this report, and Fabian Ising for his support."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests."
}
],
"metrics": [
{
"other": {
"content": {
"other": "This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information like user credentials. Exploit in IMAP requires a local account but SMTP exploit does not. Data integrity could be compromised in POP3."
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-20T11:06:21",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
},
{
"name": "[oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
}
],
"source": {
"defect": [
"JAMES-1862"
],
"discovery": "UNKNOWN"
},
"title": "STARTTLS command injection in Apache JAMES",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache James 3.7.1 or Apache James 3.6.3."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28220",
"STATE": "PUBLIC",
"TITLE": "STARTTLS command injection in Apache JAMES"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache James",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache James",
"version_value": "3.6.2"
},
{
"version_affected": "\u003c=",
"version_name": "Apache James",
"version_value": "3.7.0 +1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache James PMC would like to thanks Benoit TELLIER for this report, and Fabian Ising for his support."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information like user credentials. Exploit in IMAP requires a local account but SMTP exploit does not. Data integrity could be compromised in POP3."
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html",
"refsource": "MISC",
"url": "https://james.apache.org/james/update/2022/08/26/james-3.7.1.html"
},
{
"name": "[oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/09/20/1"
}
]
},
"source": {
"defect": [
"JAMES-1862"
],
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache James 3.7.1 or Apache James 3.6.3."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28220",
"datePublished": "2022-09-08T07:40:09",
"dateReserved": "2022-03-30T00:00:00",
"dateUpdated": "2024-08-03T05:48:37.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51747 (GCVE-0-2023-51747)
Vulnerability from nvd – Published: 2024-02-27 13:08 – Updated: 2025-02-13 17:19
VLAI?
Summary
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.
A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.
The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.
We recommend James users to upgrade to non vulnerable versions.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
0 , ≤ 3.7.4
(semver)
Affected: 3.8 , ≤ 3.8.0 (semver) |
Credits
Benoit TELLIER
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T20:37:43.302258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T19:08:00.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:11.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"related",
"x_transferred"
],
"url": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://postfix.org/smtp-smuggling.html"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/27/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.8.0",
"status": "affected",
"version": "3.8",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "Benoit TELLIER"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.\u003cbr\u003e\u003cbr\u003eA lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.\u003cbr\u003e\u003cbr\u003eThe patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.\u003cbr\u003e\u003cbr\u003eWe recommend James users to upgrade to non vulnerable versions.\u003cbr\u003e"
}
],
"value": "Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.\n\nA lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.\n\nThe patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.\n\nWe recommend James users to upgrade to non vulnerable versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T13:10:07.890Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"related"
],
"url": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/"
},
{
"tags": [
"related"
],
"url": "https://postfix.org/smtp-smuggling.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/27/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SMTP smuggling in Apache James",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51747",
"datePublished": "2024-02-27T13:08:01.807Z",
"dateReserved": "2023-12-22T16:12:33.074Z",
"dateUpdated": "2025-02-13T17:19:50.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51518 (GCVE-0-2023-51518)
Vulnerability from nvd – Published: 2024-02-27 09:09 – Updated: 2024-08-22 20:42
VLAI?
Summary
Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.
Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.
Note that by default JMX endpoint is only bound locally.
We recommend users to:
- Upgrade to a non-vulnerable Apache James version
- Run Apache James isolated from other processes (docker - dedicated virtual machine)
- If possible turn off JMX
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
0 , ≤ 3.7.4
(semver)
Affected: 3.8 , ≤ 3.8.0 (custom) |
Credits
Mal Aware
Arnout Engelen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:32:10.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "james_server",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "3.7.4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "affected",
"version": "3.8"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T20:42:32.574252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T20:42:38.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.8.0",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mal Aware"
},
{
"lang": "en",
"type": "analyst",
"value": "Arnout Engelen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.\u003cbr\u003eGiven a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.\u003cbr\u003e\u003cdiv\u003eNote that by default JMX endpoint is only bound locally.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eWe recommend users to:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp;- Upgrade to a non-vulnerable Apache James version\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;- Run Apache James isolated from other processes (docker - dedicated virtual machine)\u003cbr\u003e\u0026nbsp;- If possible turn off JMX\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.\nGiven a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.\nNote that by default JMX endpoint is only bound locally.\n\nWe recommend users to:\n\u00a0- Upgrade to a non-vulnerable Apache James version\n\n\u00a0- Run Apache James isolated from other processes (docker - dedicated virtual machine)\n\u00a0- If possible turn off JMX\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T09:09:31.579Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache James server: Privilege escalation via JMX pre-authentication deserialisation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51518",
"datePublished": "2024-02-27T09:09:31.579Z",
"dateReserved": "2023-12-20T16:14:49.938Z",
"dateUpdated": "2024-08-22T20:42:38.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26269 (GCVE-0-2023-26269)
Vulnerability from nvd – Published: 2023-04-03 07:59 – Updated: 2025-02-13 16:44
VLAI?
Summary
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a
malicious local user.
Administrators are advised to disable JMX, or set up a JMX password.
Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
0 , ≤ 3.7.3
(semver)
|
Credits
Matei "Mal" Badanoiu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:24.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "james_server",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "3.7.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-26269",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:09:13.520369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:10:14.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Matei \"Mal\" Badanoiu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eApache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user.\u003c/div\u003e\u003cdiv\u003eAdministrators are advised to disable JMX, or set up a JMX password.\u003c/div\u003e\u003cdiv\u003eNote that version 3.7.4 onward will set up a JMX password automatically for Guice users.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user.\n\nAdministrators are advised to disable JMX, or set up a JMX password.\n\nNote that version 3.7.4 onward will set up a JMX password automatically for Guice users."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-18T02:06:14.335Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/04/18/3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache James server: Privilege escalation through unauthenticated JMX",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-26269",
"datePublished": "2023-04-03T07:59:13.228Z",
"dateReserved": "2023-02-21T08:48:22.411Z",
"dateUpdated": "2025-02-13T16:44:53.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45935 (GCVE-0-2022-45935)
Vulnerability from nvd – Published: 2023-01-06 09:33 – Updated: 2025-04-10 13:35
VLAI?
Summary
Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.
Vulnerable components includes the SMTP stack and IMAP APPEND command.
This issue affects Apache James server version 3.7.2 and prior versions.
Severity ?
No CVSS data available.
CWE
- CWE-668 - Exposure of Resource to Wrong Sphere
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
0 , ≤ 3.7.2
(semver)
|
Credits
Benoit Tellier
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T13:35:27.107323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T13:35:31.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Benoit Tellier"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \u003cbr\u003e\u003cbr\u003eVulnerable components includes the SMTP stack and IMAP APPEND command.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache James server version 3.7.2 and prior versions."
}
],
"value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668 Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T10:18:19.197Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache James server: Temporary File Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45935",
"datePublished": "2023-01-06T09:33:30.150Z",
"dateReserved": "2022-11-27T08:53:19.892Z",
"dateUpdated": "2025-04-10T13:35:31.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45787 (GCVE-0-2022-45787)
Vulnerability from nvd – Published: 2023-01-06 09:31 – Updated: 2025-04-09 19:32
VLAI?
Summary
Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.
We recommend users to upgrade to MIME4j version 0.8.9 or later.
Severity ?
No CVSS data available.
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache James MIME4J |
Affected:
0 , ≤ 0.8.8
(custom)
|
Credits
Jonathan Leitschuh
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:04.186Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45787",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T19:31:06.959423Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T19:32:09.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James MIME4J",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.8.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonathan Leitschuh"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.\u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade to MIME4j version 0.8.9 or later.\u003cbr\u003e"
}
],
"value": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.\n\nWe recommend users to upgrade to MIME4j version 0.8.9 or later.\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-16T10:27:24.515Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache James MIME4J: Temporary File Information Disclosure in MIME4J TempFileStorageProvider",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45787",
"datePublished": "2023-01-06T09:31:40.118Z",
"dateReserved": "2022-11-22T08:49:26.227Z",
"dateUpdated": "2025-04-09T19:32:09.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}