Vulnerability identifier: #VU59161

Vulnerability risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38542

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache James
Server applications / Mail servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to inject arbitrary commands.

The vulnerability exists due to incorrect implementation of the STARTTLS command in the IMAP and POP3 servers. A remote attacker with ability to perform MitM attack can inject arbitrary IMAP or POP3 commands before successful initialization of the TLS session and execute these commands after the session was initialized.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache James: 3.6.0, 3.5.0, 2.3.0 - 2.3.2.1, 3.4.0, 3.3.0, 3.2.0, 3.1.0, 3.0 beta2 - 3.0.1, 2.2.0, 2.1 - 2.1.3

---

External links
http://seclists.org/oss-sec/2022/q1/1

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.