[JAMES-3568] James 3.6.0 having critical vulnerability - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Duplicate
Affects Version/s: 3.6.0
Fix Version/s: None
Component/s: James Core
Labels:
- vulnerabilities
- vulnerability

Description

-> HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.. Impacted Image File(s): /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar

-> HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold.". Impacted Image File(s): /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar

-> JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors.. Impacted Image File(s): /root/james-server-cassandra-guice.lib/jgroups-3.6.13.Final.jar

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Rikin Patel

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 22/Apr/21 10:44

Updated:: 30/Apr/21 06:54

Resolved:: 30/Apr/21 06:54