Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-3567

Apache James 3.6 has Critical Vulnerability in dependent libs

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.6.0
    • None
    • James Core
    • Docker Image: - apache/james:distributed-3.6.0

    Description

      /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar: -

          ->  HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header

          -> HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold.". Impacted Image File(s): /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar

      /root/james-server-cassandra-guice.lib/jgroups-3.6.13.Final.jar

          ->  JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors..

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #400

          Activity

            People

              Unassigned Unassigned
              riks.lovein Rikin Patel
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1.5h
                  1.5h