Main Vulnerability Database Vulnerabilities #VU59161

#VU59161 Command Injection in Apache James - CVE-2021-38542

Published: January 4, 2022

Vulnerability identifier: #VU59161

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-38542

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache James

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to inject arbitrary commands.

The vulnerability exists due to incorrect implementation of the STARTTLS command in the IMAP and POP3 servers. A remote attacker with ability to perform MitM attack can inject arbitrary IMAP or POP3 commands before successful initialization of the TLS session and execute these commands after the session was initialized.

Remediation

Install updates from vendor's website.

External links

http://seclists.org/oss-sec/2022/q1/1

#VU59161 Command Injection in Apache James - CVE-2021-38542

Description

Remediation

External links

Please verify you're human