Description
In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.
Remediation
References
http://www.openwall.com/lists/oss-security/2022/01/04/2
https://www.openwall.com/lists/oss-security/2022/01/04/2
Related Vulnerabilities
CVE-2022-23622 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates
CVE-2019-5918 Vulnerability in maven package com.nablarch.framework:nablarch-core-dataformat
CVE-2019-17267 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2023-30429 Vulnerability in maven package org.apache.pulsar:pulsar-broker-common
CVE-2020-2194 Vulnerability in maven package io.jenkins.plugins:echarts-api