Rikin Patel created JAMES-3568:
----------------------------------
Summary: James 3.6.0 having critical vulnerability
Key: JAMES-3568
URL: https://issues.apache.org/jira/browse/JAMES-3568
Project: James Server
Issue Type: Improvement
Components: James Core
Affects Versions: 3.6.0
Reporter: Rikin Patel
-> HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header
to be accompanied by a second Content-Length header, or by a Transfer-Encoding
header.. Impacted Image File(s):
/root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar
-> HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that
lacks a colon, which might be interpreted as a separate header with an
incorrect syntax, or might be interpreted as an "invalid fold.". Impacted Image
File(s): /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar
-> JGroups before 4.0 does not require the proper headers for the ENCRYPT and
AUTH protocols from nodes joining the cluster, which allows remote attackers to
bypass security restrictions and send and receive messages within the cluster
via unspecified vectors.. Impacted Image File(s):
/root/james-server-cassandra-guice.lib/jgroups-3.6.13.Final.jar
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
