CVE-2021-40110

Apache James IMAP vulnerable to a ReDoS

EPSS 2.9%

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 2.9%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

04 Jan 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

Affected products

Apache Software Foundation · Apache James

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.openwall.com/lists/oss-security/2022/01/04/2 http://www.openwall.com/lists/oss-security/2022/01/04/2