Path traversal in Apache James 3.6.1
Description
Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache James 3.6.1 and earlier allow path traversal in maildir mailbox store and Sieve file repository due to insufficient directory validation bypassing CVE-2021-40525 fixes, enabling authenticated users to access other users' data stores.
Vulnerability
CVE-2022-22931 is a path traversal vulnerability in Apache James (Java Apache Mail Enterprise Server) versions prior to 3.6.2. The fix for CVE-2021-40525 failed to properly prepend delimiters upon valid directory validations, affecting the maildir mailbox store and Sieve file repository implementations. This allows an authenticated user to access other users' data stores, limited to user names prefixed by the value of the attacker's username [1][2][3].
Exploitation
An attacker must be an authenticated user of the Apache James server. The exploitation requires no special privileges beyond standard user access. By crafting requests that exploit the improper directory validation, an attacker can traverse directories to access files belonging to other users. The vulnerability is limited to instances where the target username starts with the same prefix as the attacker's username [3].
Impact
Successful exploitation leads to unauthorized access to other users' mailbox data or Sieve scripts, amounting to information disclosure and potential compromise of email content and filtering rules. The attacker can read or potentially manipulate data within the scope of the accessed user's store [2][3].
Mitigation
The vulnerability is fixed in Apache James version 3.6.2, released on 2022-02-07 [2][3]. All users are advised to upgrade to this version or later. No workarounds have been publicly documented. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.james:james-serverMaven | < 3.6.2 | 3.6.2 |
Affected products
2- Apache Software Foundation/Apache Jamesv5Range: Apache James 3.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-v84g-cf5j-xjqxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22931ghsaADVISORY
- github.com/apache/james-project/pull/877ghsaWEB
- github.com/apache/james-project/pull/877/commits/b1e891a9e5eeadfa1d779ae50f21c73efe4d2fc7ghsaWEB
- lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmprghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2022/02/07/1ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.