Details of VAR-202201-0203

ID

VAR-202201-0203

CVE

CVE-2021-40525

TITLE

Apache James Path Traversal Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-01768 // CNNVD: CNNVD-202201-085

DESCRIPTION

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted. Apache James Exists in a past traversal vulnerability.Information may be obtained and information may be tampered with. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation. An attacker could exploit this vulnerability to perform a path traversal attack to read and write any file

Trust: 2.25

sources: NVD: CVE-2021-40525 // JVNDB: JVNDB-2022-002893 // CNVD: CNVD-2022-01768 // VULMON: CVE-2021-40525

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-01768

AFFECTED PRODUCTS

vendor:	apache	model:	james	scope:	lt	version:	3.6.2	Trust: 1.0
vendor:	apache	model:	james	scope:	eq	version:	-	Trust: 0.8
vendor:	apache	model:	james	scope:	-	version:	-	Trust: 0.8
vendor:	apache	model:	james	scope:	eq	version:	3.6.1	Trust: 0.6

sources: CNVD: CNVD-2022-01768 // JVNDB: JVNDB-2022-002893 // NVD: CVE-2021-40525

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-40525
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-40525
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2022-01768
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202201-085
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2021-40525
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-01768
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-40525
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-40525
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-01768 // JVNDB: JVNDB-2022-002893 // CNNVD: CNNVD-202201-085 // NVD: CVE-2021-40525

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.0
problemtype:	Path traversal (CWE-22) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-002893 // NVD: CVE-2021-40525

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-085

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202201-085

PATCH

title:	Top Page	url:	https://www.apache.org/	Trust: 0.8
title:	Patch for Apache James Path Traversal Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/312701	Trust: 0.6
title:	Apache James Repair measures for path traversal vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=176871	Trust: 0.6

sources: CNVD: CNVD-2022-01768 // JVNDB: JVNDB-2022-002893 // CNNVD: CNNVD-202201-085

EXTERNAL IDS

db:	NVD	id:	CVE-2021-40525	Trust: 3.9
db:	OPENWALL	id:	OSS-SECURITY/2022/01/04/4	Trust: 3.1
db:	OPENWALL	id:	OSS-SECURITY/2022/02/07/1	Trust: 2.4
db:	JVNDB	id:	JVNDB-2022-002893	Trust: 0.8
db:	CNVD	id:	CNVD-2022-01768	Trust: 0.6
db:	CS-HELP	id:	SB2022010404	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-085	Trust: 0.6
db:	VULMON	id:	CVE-2021-40525	Trust: 0.1

sources: CNVD: CNVD-2022-01768 // VULMON: CVE-2021-40525 // JVNDB: JVNDB-2022-002893 // CNNVD: CNNVD-202201-085 // NVD: CVE-2021-40525

REFERENCES

url:	http://www.openwall.com/lists/oss-security/2022/01/04/4	Trust: 4.8
url:	http://www.openwall.com/lists/oss-security/2022/02/07/1	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2021-40525	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2022010404	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-01768 // VULMON: CVE-2021-40525 // JVNDB: JVNDB-2022-002893 // CNNVD: CNNVD-202201-085 // NVD: CVE-2021-40525

SOURCES

db:	CNVD	id:	CNVD-2022-01768
db:	VULMON	id:	CVE-2021-40525
db:	JVNDB	id:	JVNDB-2022-002893
db:	CNNVD	id:	CNNVD-202201-085
db:	NVD	id:	CVE-2021-40525

LAST UPDATE DATE

2024-11-23T22:05:04.320000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-01768	date:	2022-01-08T00:00:00
db:	VULMON	id:	CVE-2021-40525	date:	2022-01-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-002893	date:	2023-01-24T07:17:00
db:	CNNVD	id:	CNNVD-202201-085	date:	2022-02-09T00:00:00
db:	NVD	id:	CVE-2021-40525	date:	2024-11-21T06:24:19.323

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-01768	date:	2022-01-08T00:00:00
db:	VULMON	id:	CVE-2021-40525	date:	2022-01-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-002893	date:	2023-01-24T00:00:00
db:	CNNVD	id:	CNNVD-202201-085	date:	2022-01-04T00:00:00
db:	NVD	id:	CVE-2021-40525	date:	2022-01-04T09:15:07.423