VDB
CVE-2021-40525
CVE-2021-40525
PUBLISHED
CVSS 6.400000095367432 MEDIUM
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.
EPSS 2.77% · 86.3th percentile
Risk Scores
CVSS v2.0
6.400000095367432
EPSS Score
2.77%
86.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache Software Foundation | Apache James | Apache James |
| Maven | org.apache.james:james-server | 0 |
| apache | james | 0 |
Timeline
- Jan 4, 2022 CVE Published
- Jan 5, 2022 EPSS Score
- Jan 13, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 30, 2022 CVE Updated
- Apr 22, 2022 EPSS Score
- Jun 15, 2022 EPSS Score
- Aug 8, 2022 EPSS Score
- Oct 1, 2022 EPSS Score
- Nov 23, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 10, 2023 EPSS Score
References
- https://www.openwall.com/lists/oss-security/2022/01/04/4 url
- [oss-security] 20220104 CVE-2021-40525: Apache James: Sieve file storage vulnerable to path traversal attacks mailing-list
- [oss-security] 20220207 CVE-2022-22931: Path traversal in Apache James mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2021-40525 advisory
- https://github.com/apache/james-project package