Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used).
Max CVSS
4.3
EPSS Score
0.05%
Published
2022-02-07
Updated
2022-02-15
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.
Max CVSS
9.1
EPSS Score
0.18%
Published
2022-01-04
Updated
2022-03-29
2 vulnerabilities found