QwikSec

Security Database

CVE

CWE

Training

CVE-2022-28220

Published: Sep 8, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.

Vendor	Product	Versions
Apache Software Foundation	Apache James	affected `Apache James - <= 3.6.2`

Weaknesses (CWE)

References

https://james.apache.org/james/update/2022/08/26/james-3.7.1.html

x_refsource_MISC

[oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.