CVE-2021-40111
Last modified
CVE-2021-40111 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. EPSS estimates a 2.12% chance of exploitation in the next 30 days.
Description
In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | James | < 3.6.1 |
References
- http://www.openwall.com/lists/oss-security/2022/01/04/3Mailing List, Third Party Advisory
- https://www.openwall.com/lists/oss-security/2022/01/04/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2022/01/04/3Mailing List, Third Party Advisory
- https://www.openwall.com/lists/oss-security/2022/01/04/3Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-40111?
How severe is CVE-2021-40111?
How do I fix CVE-2021-40111?
Are you affected by CVE-2021-40111?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST