Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jMzhtLTdoNTMtZzl2NM0gwQ
Path traversal in Apache James
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.
Permalink: https://github.com/advisories/GHSA-c38m-7h53-g9v4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jMzhtLTdoNTMtZzl2NM0gwQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-c38m-7h53-g9v4, CVE-2021-40525
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-40525
- https://www.openwall.com/lists/oss-security/2022/01/04/4
- http://www.openwall.com/lists/oss-security/2022/01/04/4
- http://www.openwall.com/lists/oss-security/2022/02/07/1
- https://github.com/advisories/GHSA-c38m-7h53-g9v4
Affected Packages
maven:org.apache.james:james-server
Dependent packages: 1Dependent repositories: 15
Downloads:
Affected Version Ranges: < 3.6.1
Fixed in: 3.6.1
All affected versions: 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.6.0
All unaffected versions: 3.6.2, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.8.0, 3.8.1