Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-40111

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.

Published

2022-01-04T09:15:07.377

Last Modified

2024-11-21T06:23:35.487

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-835

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	james	< 3.6.1	Yes

References

http://www.openwall.com/lists/oss-security/2022/01/04/3 Mailing List, Third Party Advisory ([email protected])
https://www.openwall.com/lists/oss-security/2022/01/04/3 Mailing List, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2022/01/04/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.openwall.com/lists/oss-security/2022/01/04/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)