VDB
CVE-2021-38542
CVE-2021-38542
PUBLISHED
CVSS 4.300000190734863 MEDIUM
Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.
EPSS 0.61% · 70.2th percentile
Risk Scores
CVSS v2.0
4.300000190734863
EPSS Score
0.61%
70.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Maven | org.apache.james:james-server | 0 |
| apache | james | 0 |
| Apache Software Foundation | Apache James | Apache James |
Timeline
- Jan 4, 2022 CVE Published
- Jan 5, 2022 EPSS Score
- Jan 13, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 22, 2022 EPSS Score
- Jun 15, 2022 EPSS Score
- Sep 21, 2022 CVE Updated
- Oct 1, 2022 EPSS Score
- Nov 23, 2022 EPSS Score
- Jan 16, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 10, 2023 EPSS Score
References
- https://www.openwall.com/lists/oss-security/2022/01/04/1 url
- [oss-security] 20220104 CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3) mailing-list
- [oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2021-38542 advisory