GHSA-c38m-7h53-g9v4

Source

https://github.com/advisories/GHSA-c38m-7h53-g9v4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-c38m-7h53-g9v4/GHSA-c38m-7h53-g9v4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c38m-7h53-g9v4

Aliases

CVE-2021-40525

Related

CGA-724p-xwpj-hp66

Published

2022-01-21T23:36:47Z

Modified

2023-11-08T04:06:48.029574Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Path traversal in Apache James

Details

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.

Database specific

{
    "nvd_published_at": "2022-01-04T09:15:00Z",
    "github_reviewed_at": "2022-01-13T18:51:30Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Maven / org.apache.james:james-server

Package

Name: org.apache.james:james-server; View open source insights on deps.dev
Purl: pkg:maven/org.apache.james/james-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.1

Affected versions

3.*

3.0-beta2

3.0-beta3

3.0-beta4

3.0.0-beta5

3.0-M1

3.0-M2

3.0.0-RC1

3.0.0

3.0.1

3.1.0

3.2.0

3.3.0

3.4.0

3.5.0

3.6.0