CVE-2022-28220
Published: 08 September 2022
Summary
CVE-2022-28220 is a high-severity Command Injection (CWE-77) vulnerability in Apache James. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Apache James versions prior to 3.6.3 and 3.7.1 contain a buffering attack vulnerability tied to the STARTTLS command. The issue arises because the earlier fix for CVE-2021-38542, shipped in 3.6.1, is subject to a parser differential that does not account for concurrent requests, leaving the mail server exposed to improper handling of TLS negotiation traffic.
An unauthenticated remote attacker can send crafted STARTTLS sequences over the network to trigger the flaw, resulting in a denial-of-service condition that affects availability while requiring no user interaction or credentials.
Advisories published by the Apache James project in August 2022 direct administrators to upgrade to the fixed releases 3.6.3 or 3.7.1; the same guidance appears in coordinated oss-security postings from September 2022.
The associated EPSS score has remained flat at its peak value of 0.0918 with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6956
Vulnerability details
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and…
more
do not take into account concurrent requests.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.