Cyber Resilience

CVE-2022-28220

HighRCE

Published: 08 September 2022

Published
08 September 2022
Modified
21 November 2024
KEV Added
Patch
26 August 2022
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0918 92.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28220 is a high-severity Command Injection (CWE-77) vulnerability in Apache James. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache James versions prior to 3.6.3 and 3.7.1 contain a buffering attack vulnerability tied to the STARTTLS command. The issue arises because the earlier fix for CVE-2021-38542, shipped in 3.6.1, is subject to a parser differential that does not account for concurrent requests, leaving the mail server exposed to improper handling of TLS negotiation traffic.

An unauthenticated remote attacker can send crafted STARTTLS sequences over the network to trigger the flaw, resulting in a denial-of-service condition that affects availability while requiring no user interaction or credentials.

Advisories published by the Apache James project in August 2022 direct administrators to upgrade to the fixed releases 3.6.3 or 3.7.1; the same guidance appears in coordinated oss-security postings from September 2022.

The associated EPSS score has remained flat at its peak value of 0.0918 with no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and…

more

do not take into account concurrent requests.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
james
3.7.0 · ≤ 3.6.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References