Description
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.
Remediation
References
http://www.openwall.com/lists/oss-security/2022/01/04/4
http://www.openwall.com/lists/oss-security/2022/02/07/1
https://www.openwall.com/lists/oss-security/2022/01/04/4
Related Vulnerabilities
CVE-2021-33036 Vulnerability in maven package org.apache.hadoop:hadoop-yarn-server-common
CVE-2022-4772 Vulnerability in maven package com.github.dgarijo:widoco
CVE-2022-1274 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2022-25852 Vulnerability in npm package pg-native
CVE-2023-40037 Vulnerability in maven package org.apache.nifi:nifi-hikari-dbcp-service