CVE Security Report - SICS ADH Server
The report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, NPM Public Advisories: https://www.npmjs.com/advisories, and the RetireJS community.
| Name | Description | CWE | CVSS v2.0 Severity | CVSS v3.0 Severity | Dependency |
|---|---|---|---|---|---|
| CVE-2021-38542 | Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information. | CWE-77 | MEDIUM | MEDIUM | apache-mime4j-core-0.7.2.jar |
| CVE-2021-40110 | In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking. | NVD-CWE-Other | MEDIUM | HIGH | apache-mime4j-core-0.7.2.jar |
| CVE-2021-40111 | In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. | CWE-835 | MEDIUM | MEDIUM | apache-mime4j-core-0.7.2.jar |
| CVE-2021-40525 | Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted. | CWE-22 | MEDIUM | CRITICAL | apache-mime4j-core-0.7.2.jar |
| CVE-2012-5783 | Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | CWE-295 | MEDIUM | commons-httpclient-3.1.jar | |
| CVE-2020-13956 | Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. | NVD-CWE-noinfo | MEDIUM | MEDIUM | commons-httpclient-3.1.jar |
| CVE-2021-43797 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to 'sanitize' header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. | CWE-444 | MEDIUM | MEDIUM | netty-transport-4.1.68.Final.jar |
| CVE-2021-41033 | In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | NVD-CWE-noinfo | MEDIUM | HIGH | org.eclipse.equinox.app-1.6.100.jar |
| CVE-2021-41033 | In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | NVD-CWE-noinfo | MEDIUM | HIGH | org.eclipse.equinox.bidi-1.4.100.jar |
| CVE-2021-41033 | In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | NVD-CWE-noinfo | MEDIUM | HIGH | org.eclipse.equinox.common-3.15.100.jar |
| CVE-2021-41033 | In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | NVD-CWE-noinfo | MEDIUM | HIGH | org.eclipse.equinox.preferences-3.9.100.jar |
| CVE-2021-41033 | In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | NVD-CWE-noinfo | MEDIUM | HIGH | org.eclipse.equinox.registry-3.11.100.jar |
| CVE-2021-41033 | In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | NVD-CWE-noinfo | MEDIUM | HIGH | org.eclipse.osgi-3.17.100.jar |
| CVE-2021-22569 | An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. | NVD-CWE-noinfo | MEDIUM | MEDIUM | protobuf-java-3.11.4.jar |
This report was generated 22.03.2022, 03:41:43 UTC, using dependency-check version: 6.5.0.