CVE-2022-28220 — Vulnetix

CVE-2022-28220 PUBLISHED

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.

EPSS 9.18% · 92.8th percentile

Risk Scores

EPSS Score

9.18%

92.8th percentile

Affected Products

Vendor	Product	Versions
apache	james	0, 3.7.0
Maven	org.apache.james:james-server	3.7.0, 3.7.0, 0
Apache Software Foundation	Apache James	Apache James

Timeline

Sep 8, 2022 CVE Published
Sep 9, 2022 EPSS Score
Sep 15, 2022 CVE Updated
Oct 24, 2022 EPSS Score
Dec 8, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Mar 8, 2023 EPSS Score
Apr 22, 2023 EPSS Score
Jun 6, 2023 EPSS Score
Jul 21, 2023 EPSS Score
Oct 20, 2023 EPSS Score
Dec 4, 2023 EPSS Score

References

https://james.apache.org/james/update/2022/08/26/james-3.7.1.html url
[oss-security] 20220919 CVE-2022-28220: STARTTLS command injection in Apache JAMES mailing-list
https://nvd.nist.gov/vuln/detail/CVE-2022-28220 advisory
https://github.com/apache/james-project package

Open in Interactive Console →