Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2022-22931: Path traversal in Apache James

Related Vulnerabilities: CVE-2022-22931   CVE-2021-40525  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2022-22931: Path traversal in Apache James

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Benoit Tellier &lt;btellier () apache org&gt;

Date: Mon, 07 Feb 2022 04:39:16 +0000

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Severity: moderate

Description:

Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations.

Affected implementations include:
 - maildir mailbox store
 - Sieve file repository

This enables a user to access other users data stores (limited to user names being prefixed by the value of the 
username being used).

Mitigation:

This had been fixed in Apache James 3.6.2.

Credit:

These issues were discovered and reported by GHSL team member Jaroslav Lobačevski

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2022-22931: Path traversal in Apache James Benoit Tellier (Feb 07)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started