Vulnerability Description
In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | James | < 3.6.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2022/01/04/3Mailing ListThird Party Advisory
- https://www.openwall.com/lists/oss-security/2022/01/04/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2022/01/04/3Mailing ListThird Party Advisory
- https://www.openwall.com/lists/oss-security/2022/01/04/3Mailing ListThird Party Advisory
FAQ
What is CVE-2021-40111?
CVE-2021-40111 is a vulnerability with a CVSS score of 6.5 (MEDIUM). In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computatio...
How severe is CVE-2021-40111?
CVE-2021-40111 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-40111?
Check the references section above for vendor advisories and patch information. Affected products include: Apache James.