CVE-2021-40525

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-40525

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40525.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-40525

Aliases

GHSA-c38m-7h53-g9v4

Related

CGA-724p-xwpj-hp66

Published

2022-01-04T09:15:07Z

Modified

2025-01-14T09:49:34.241801Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.

References

Affected packages

Git / github.com/apache/james-project

Affected ranges

Type: GIT
Repo: https://github.com/apache/james-project
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1a99bbf78209779e4f90369afba43f1536b633e4

Affected versions

Other

cassandra_migration_v1_to_v2

james-project-3.*

james-project-3.0-beta5

james-project-3.0.0

james-project-3.0.0-RC1

james-project-3.0.0-beta5

james-project-3.3.0

james-project-3.4.0

james-project-3.6.0

james-project-3.6.1

pre-3.*

pre-3.1.0