Headline
CVE-2022-28220: Apache James
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.
**Apache James Server 3.7.1******August 26, 2022****
The Apache James developers are pleased to announce James server 3.7.1 release.
Early adopters can download it, any issue can be reported on our issue tracker.
The Apache James PMC would like to thanks all contributors who made this release possible!
Announcement
As this is a minor maintenance release.
This release addresses CVE-2022-28220 STARTTLS command injection in Apache JAMES.
It also includes various bugfixes.
Release changelog
The full changes included in this release can be seen in the CHANGELOG.
Related news
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.