GHSA-fqgw-6qj5-8hmp

Source

https://github.com/advisories/GHSA-fqgw-6qj5-8hmp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-fqgw-6qj5-8hmp/GHSA-fqgw-6qj5-8hmp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fqgw-6qj5-8hmp

Aliases

CVE-2021-40111

Related

CGA-r4fh-62hg-8q43

Published

2022-01-08T00:40:37Z

Modified

2024-12-04T05:46:02.948705Z

Summary

Infinite Loop in Apache James

Details

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.

Database specific

{
    "nvd_published_at": "2022-01-04T09:15:00Z",
    "cwe_ids": [
        "CWE-835"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-07T18:33:44Z"
}

References

Affected packages

Maven / org.apache.james:james-server

Package

Name: org.apache.james:james-server; View open source insights on deps.dev
Purl: pkg:maven/org.apache.james/james-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.1

Affected versions

3.*

3.0-beta2

3.0-beta3

3.0-beta4

3.0.0-beta5

3.0-M1

3.0-M2

3.0.0-RC1

3.0.0

3.0.1

3.1.0

3.2.0

3.3.0

3.4.0

3.5.0

3.6.0