CVE-2021-40110

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

Published: Jan 4, 2022
Updated: May 9, 2024
CVE: CVE-2021-40110
GHSA: GHSA-r58x-wjg8-63m9
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
apache / james	-	3.6.1
org.apache.james / james-server	-	3.6.1

http://www.openwall.com/lists/oss-security/2022/01/04/2
https://www.openwall.com/lists/oss-security/2022/01/04/2

Vulnerability Database

289,784

CVE-2021-40110