Description
In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.
Remediation
References
http://www.openwall.com/lists/oss-security/2022/01/04/2
https://www.openwall.com/lists/oss-security/2022/01/04/2
Related Vulnerabilities
CVE-2020-8203 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash
CVE-2020-2233 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-maven-parent
CVE-2021-25945 Vulnerability in npm package js-extend
CVE-2023-22580 Vulnerability in npm package sequelize
CVE-2023-24057 Vulnerability in maven package ca.uhn.hapi.fhir:org.hl7.fhir.r4b