[JAMES-3567] Apache James 3.6 has Critical Vulnerability in dependent libs - ASF JIRA

Attach files

Attach Screenshot

Add vote

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.6.0
Fix Version/s: None
Component/s: James Core
Labels:
- vulnerability
Environment:
Docker Image: - apache/james:distributed-3.6.0

Description

/root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar: -

-> HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header

-> HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold.". Impacted Image File(s): /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar

/root/james-server-cassandra-guice.lib/jgroups-3.6.13.Final.jar

-> JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors..