CVE-2021-40110 - OpenCVE

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	James

Configuration 1 [-]

cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/01/04/2
https://www.openwall.com/lists/oss-security/2022/01/04/2

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-01-04T08:55:22

Updated: 2024-08-04T02:27:31.846Z

Reserved: 2021-08-25T00:00:00

Link: CVE-2021-40110

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-04T09:15:07.327

Modified: 2022-01-12T19:54:54.953

Link: CVE-2021-40110

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache James", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "3.6.0", "status": "affected", "version": "Apache James", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache James PMC would like to thanks Benoit TELLIER for this report."}], "descriptions": [{"lang": "en", "value": "In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking."}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"description": "Regular expression Denial of service", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-04T09:06:14", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2022/01/04/2"}, {"name": "[oss-security] 20220104 CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/01/04/2"}], "source": {"defect": ["JAMES-3635"], "discovery": "UNKNOWN"}, "title": "Apache James IMAP vulnerable to a ReDoS", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-40110", "STATE": "PUBLIC", "TITLE": "Apache James IMAP vulnerable to a ReDoS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache James", "version": {"version_data": [{"version_affected": "<=", "version_name": "Apache James", "version_value": "3.6.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache James PMC would like to thanks Benoit TELLIER for this report."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Regular expression Denial of service"}]}]}, "references": {"reference_data": [{"name": "https://www.openwall.com/lists/oss-security/2022/01/04/2", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2022/01/04/2"}, {"name": "[oss-security] 20220104 CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/04/2"}]}, "source": {"defect": ["JAMES-3635"], "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:27:31.846Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2022/01/04/2"}, {"name": "[oss-security] 20220104 CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/04/2"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-40110", "datePublished": "2022-01-04T08:55:22", "dateReserved": "2021-08-25T00:00:00", "dateUpdated": "2024-08-04T02:27:31.846Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*", "matchCriteriaId": "C857D994-8952-4A29-9B5C-CC3AADBAD82F", "versionEndExcluding": "3.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking."}, {"lang": "es", "value": "En Apache James, usando Jazzer fuzzer, identificamos que un usuario de IMAP puede dise\u00f1ar comandos IMAP LIST para orquestar una denegaci\u00f3n de servicio usando una expresi\u00f3n regular vulnerable. Esto afectaba a Apache James versiones anteriores a 3.6.1. Recomendamos actualizar a Apache James versi\u00f3n 3.6.1 o superior, que refuerza el uso del motor de expresiones regulares RE2J para ejecutar regex en tiempo lineal sin retroceso"}], "id": "CVE-2021-40110", "lastModified": "2022-01-12T19:54:54.953", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-04T09:15:07.327", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/04/2"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2022/01/04/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}