Severity: This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information like user credentials. Exploit in IMAP requires a local account but SMTP exploit does not. Data integrity could be compromised in POP3.
Description: Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests. This issue is being tracked as JAMES-1862 Mitigation: Upgrade to Apache James 3.7.1 or Apache James 3.6.3. Credit: Apache James PMC would like to thanks Benoit TELLIER for this report, and Fabian Ising for his support. References: https://james.apache.org/james/update/2022/08/26/james-3.7.1.html
