Sieve file storage vulnerable to path traversal attacks
Description
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache James ManagedSieve path traversal allows arbitrary file read/write; patched in 3.6.1.
Vulnerability
Apache James ManagedSieve implementation is vulnerable to path traversal attacks when handling file storage for sieve scripts. This allows an attacker to read and write any file on the filesystem. The vulnerability affects versions before 3.6.1. It is only exploitable if the ManagedSieve service is enabled, which is not the case by default [1][2].
Exploitation
An attacker must have network access to the ManagedSieve service and be able to authenticate or trigger the vulnerability. The path traversal occurs through manipulation of file paths in sieve script storage. No special privileges are needed beyond network access to the service [2].
Impact
Successful exploitation allows reading and writing arbitrary files on the server, potentially leading to information disclosure, modification of sensitive data, or full system compromise depending on the permissions of the James server process [1].
Mitigation
The vulnerability is fixed in Apache James 3.6.1 and higher. As a workaround, disabling the ManagedSieve service mitigates the risk. Distributed and Cassandra-based products are not affected [2]. Note that a related incomplete fix in 3.6.1 was further addressed in 3.6.2 for a similar issue (CVE-2022-22931) [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.james:james-serverMaven | < 3.6.1 | 3.6.1 |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/keycloakpkg:apk/chainguard/keycloak-bitnami-compatpkg:apk/chainguard/keycloak-compatpkg:apk/chainguard/keycloak-iamguarded-compatpkg:apk/wolfi/keycloakpkg:apk/wolfi/keycloak-bitnami-compatpkg:apk/wolfi/keycloak-compatpkg:apk/wolfi/keycloak-iamguarded-compatpkg:maven/org.apache.james/james-server
< 0+ 8 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.6.1
- Apache Software Foundation/Apache Jamesv5Range: Apache James
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-c38m-7h53-g9v4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-40525ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/04/4ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2022/02/07/1ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2022/01/04/4ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.