CVE-2022-22931

Description

Apache James Server prior to version 3.6.2 contains a path traversal vulnerability. The fix for CVE-2021-40525 does not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used).

How to fix CVE-2022-22931

To remediate CVE-2022-22931, upgrade the affected package to a fixed version below.

• Maven/org.apache.james:james-server—upgrade to 3.6.2 or later

Is CVE-2022-22931 being exploited?

Low — EPSS is 2.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 3.6.2

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-22931
• PATCHgithub.com/apache/james-project
• WEBgithub.com/apache/james-project/pull/877
• WEBgithub.com/apache/james-project/pull/877/commits/b1e891a9e5eeadfa1d779ae50f21c73efe4d2fc7