Rikin Patel created JAMES-3567:
----------------------------------
Summary: Apache James 3.6 has Critical Vulnerability in dependent
libs
Key: JAMES-3567
URL: https://issues.apache.org/jira/browse/JAMES-3567
Project: James Server
Issue Type: Improvement
Components: James Core
Affects Versions: 3.6.0
Environment: Docker Image: - apache/james:distributed-3.6.0
Reporter: Rikin Patel
/root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar: -
-> HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length
header to be accompanied by a second Content-Length header, or by a
Transfer-Encoding header
-> HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that
lacks a colon, which might be interpreted as a separate header with an
incorrect syntax, or might be interpreted as an "invalid fold.". Impacted Image
File(s): /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar
/root/james-server-cassandra-guice.lib/jgroups-3.6.13.Final.jar
-> JGroups before 4.0 does not require the proper headers for the ENCRYPT
and AUTH protocols from nodes joining the cluster, which allows remote
attackers to bypass security restrictions and send and receive messages within
the cluster via unspecified vectors..
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
