Details of VAR-202201-0205

ID

VAR-202201-0205

CVE

CVE-2021-40111

TITLE

Apache James Infinite loop vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-002894

DESCRIPTION

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Apache James Exists in an infinite loop vulnerability.Service operation interruption (DoS) It may be in a state. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation

Trust: 2.25

sources: NVD: CVE-2021-40111 // JVNDB: JVNDB-2022-002894 // CNVD: CNVD-2022-01769 // VULMON: CVE-2021-40111

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-01769

AFFECTED PRODUCTS

vendor:	apache	model:	james	scope:	eq	version:	3.6.1	Trust: 1.4
vendor:	apache	model:	james	scope:	lt	version:	3.6.1	Trust: 1.0
vendor:	apache	model:	james	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2022-01769 // JVNDB: JVNDB-2022-002894 // NVD: CVE-2021-40111

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-40111
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-40111
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2022-01769
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202201-087
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-40111
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-01769
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-40111
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-40111
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-01769 // JVNDB: JVNDB-2022-002894 // CNNVD: CNNVD-202201-087 // NVD: CVE-2021-40111

PROBLEMTYPE DATA

problemtype:	CWE-835	Trust: 1.0
problemtype:	infinite loop (CWE-835) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-002894 // NVD: CVE-2021-40111

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-087

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202201-087

PATCH

title:	Top Page	url:	https://www.apache.org/	Trust: 0.8
title:	Patch for Apache James Denial of Service Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/312711	Trust: 0.6
title:	Apache James Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=176873	Trust: 0.6

sources: CNVD: CNVD-2022-01769 // JVNDB: JVNDB-2022-002894 // CNNVD: CNNVD-202201-087

EXTERNAL IDS

db:	NVD	id:	CVE-2021-40111	Trust: 3.9
db:	OPENWALL	id:	OSS-SECURITY/2022/01/04/3	Trust: 3.1
db:	JVNDB	id:	JVNDB-2022-002894	Trust: 0.8
db:	CNVD	id:	CNVD-2022-01769	Trust: 0.6
db:	CS-HELP	id:	SB2022010404	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-087	Trust: 0.6
db:	VULMON	id:	CVE-2021-40111	Trust: 0.1

sources: CNVD: CNVD-2022-01769 // VULMON: CVE-2021-40111 // JVNDB: JVNDB-2022-002894 // CNNVD: CNNVD-202201-087 // NVD: CVE-2021-40111

REFERENCES

url:	https://www.openwall.com/lists/oss-security/2022/01/04/3	Trust: 4.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-40111	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2022010404	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-01769 // VULMON: CVE-2021-40111 // JVNDB: JVNDB-2022-002894 // CNNVD: CNNVD-202201-087 // NVD: CVE-2021-40111

SOURCES

db:	CNVD	id:	CNVD-2022-01769
db:	VULMON	id:	CVE-2021-40111
db:	JVNDB	id:	JVNDB-2022-002894
db:	CNNVD	id:	CNNVD-202201-087
db:	NVD	id:	CVE-2021-40111

LAST UPDATE DATE

2024-11-23T22:05:04.350000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-01769	date:	2022-01-08T00:00:00
db:	VULMON	id:	CVE-2021-40111	date:	2022-01-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-002894	date:	2023-01-24T07:22:00
db:	CNNVD	id:	CNNVD-202201-087	date:	2022-01-13T00:00:00
db:	NVD	id:	CVE-2021-40111	date:	2024-11-21T06:23:35.487

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-01769	date:	2022-01-08T00:00:00
db:	VULMON	id:	CVE-2021-40111	date:	2022-01-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-002894	date:	2023-01-24T00:00:00
db:	CNNVD	id:	CNNVD-202201-087	date:	2022-01-04T00:00:00
db:	NVD	id:	CVE-2021-40111	date:	2022-01-04T09:15:07.377