GHSA-w45j-f5g5-w94x

Source

https://github.com/advisories/GHSA-w45j-f5g5-w94x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-w45j-f5g5-w94x/GHSA-w45j-f5g5-w94x.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-w45j-f5g5-w94x

Aliases

CVE-2022-28220

Related

CGA-7hx6-qw5m-gmr2

Published

2022-09-09T00:00:57Z

Modified

2026-01-30T02:38:40.466679Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Apache James vulnerable to buffering attack

Details

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.

Database specific

{
    "nvd_published_at": "2022-09-08T08:15:00Z",
    "github_reviewed_at": "2022-09-15T03:33:49Z",
    "cwe_ids": [
        "CWE-77"
    ],
    "github_reviewed": true,
    "severity": "HIGH"
}

References

Affected packages

Maven / org.apache.james:james-server

Package

Name: org.apache.james:james-server; View open source insights on deps.dev
Purl: pkg:maven/org.apache.james/james-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.3

Affected versions

3.*

3.0-beta2

3.0-beta3

3.0-beta4

3.0.0-beta5

3.0-M1

3.0-M2

3.0.0-RC1

3.0.0

3.0.1

3.1.0

3.2.0

3.3.0

3.4.0

3.5.0

3.6.0

3.6.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-w45j-f5g5-w94x/GHSA-w45j-f5g5-w94x.json"