Sign-up

ID

VAR-202201-0221


CVE

CVE-2021-38542


TITLE

Apache James  Vulnerability in using cryptographic algorithms in

Trust: 0.8

sources: JVNDB: JVNDB-2021-017533

DESCRIPTION

Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information. Apache James Exists in the use of cryptographic algorithms.Information may be obtained. Apache James is an open source Smtp and Pop3 mail transfer agent and Nntp news server written entirely in Java by the Apache Foundation

Trust: 2.25

sources: NVD: CVE-2021-38542 // JVNDB: JVNDB-2021-017533 // CNVD: CNVD-2022-01767 // VULMON: CVE-2021-38542

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-01767

AFFECTED PRODUCTS

vendor:apachemodel:jamesscope:eqversion:3.6.1

Trust: 1.4

vendor:apachemodel:jamesscope:ltversion:3.6.1

Trust: 1.0

vendor:apachemodel:jamesscope:eqversion: -

Trust: 0.8

sources: CNVD: CNVD-2022-01767 // JVNDB: JVNDB-2021-017533 // NVD: CVE-2021-38542

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-38542
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-38542
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2022-01767
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202201-086
value: MEDIUM

Trust: 0.6

VULMON: CVE-2021-38542
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-38542
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2022-01767
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-38542
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-38542
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-01767 // VULMON: CVE-2021-38542 // JVNDB: JVNDB-2021-017533 // CNNVD: CNNVD-202201-086 // NVD: CVE-2021-38542

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.0

problemtype:CWE-327

Trust: 1.0

problemtype:Use of incomplete or dangerous cryptographic algorithms (CWE-327) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-017533 // NVD: CVE-2021-38542

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-086

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-202201-086

PATCH

title:Top Pageurl:https://www.apache.org/

Trust: 0.8

title:Patch for Apache James Command Injection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/312706

Trust: 0.6

title:Apache James Fixes for command injection vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=176872

Trust: 0.6

title: - url:https://github.com/Live-Hack-CVE/CVE-2021-38542

Trust: 0.1

title: - url:https://github.com/Live-Hack-CVE/CVE-2022-28220

Trust: 0.1

sources: CNVD: CNVD-2022-01767 // VULMON: CVE-2021-38542 // JVNDB: JVNDB-2021-017533 // CNNVD: CNNVD-202201-086

EXTERNAL IDS

db:NVDid:CVE-2021-38542

Trust: 3.9

db:OPENWALLid:OSS-SECURITY/2022/01/04/1

Trust: 3.1

db:OPENWALLid:OSS-SECURITY/2022/09/20/1

Trust: 2.5

db:JVNDBid:JVNDB-2021-017533

Trust: 0.8

db:CNVDid:CNVD-2022-01767

Trust: 0.6

db:CS-HELPid:SB2022010404

Trust: 0.6

db:CNNVDid:CNNVD-202201-086

Trust: 0.6

db:VULMONid:CVE-2021-38542

Trust: 0.1

sources: CNVD: CNVD-2022-01767 // VULMON: CVE-2021-38542 // JVNDB: JVNDB-2021-017533 // CNNVD: CNNVD-202201-086 // NVD: CVE-2021-38542

REFERENCES

url:http://www.openwall.com/lists/oss-security/2022/01/04/1

Trust: 4.8

url:http://www.openwall.com/lists/oss-security/2022/09/20/1

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2021-38542

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022010404

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/327.html

Trust: 0.1

url:https://github.com/live-hack-cve/cve-2021-38542

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2022-01767 // VULMON: CVE-2021-38542 // JVNDB: JVNDB-2021-017533 // CNNVD: CNNVD-202201-086 // NVD: CVE-2021-38542

SOURCES

db:CNVDid:CNVD-2022-01767
db:VULMONid:CVE-2021-38542
db:JVNDBid:JVNDB-2021-017533
db:CNNVDid:CNNVD-202201-086
db:NVDid:CVE-2021-38542

LAST UPDATE DATE

2024-08-14T13:22:57.116000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-01767date:2022-01-08T00:00:00
db:VULMONid:CVE-2021-38542date:2022-10-27T00:00:00
db:JVNDBid:JVNDB-2021-017533date:2023-01-24T07:31:00
db:CNNVDid:CNNVD-202201-086date:2022-10-28T00:00:00
db:NVDid:CVE-2021-38542date:2022-10-27T11:39:19.073

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-01767date:2022-01-08T00:00:00
db:VULMONid:CVE-2021-38542date:2022-01-04T00:00:00
db:JVNDBid:JVNDB-2021-017533date:2023-01-24T00:00:00
db:CNNVDid:CNNVD-202201-086date:2022-01-04T00:00:00
db:NVDid:CVE-2021-38542date:2022-01-04T09:15:07.267