STARTTLS command injection in Apache JAMES
Description
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache James prior to 3.6.3 and 3.7.1 vulnerable to STARTTLS buffering attack allowing MITM command injection and credential leakage.
Apache James versions prior to 3.6.3 and 3.7.1 are vulnerable to a buffering attack exploiting the STARTTLS command [1]. The root cause is a parser differential in the fix for CVE-2021-38542, which does not account for concurrent requests, allowing an attacker to inject commands during the TLS handshake [1][2].
An attacker can perform a man-in-the-middle attack to inject STARTTLS commands. Exploitation requires no authentication for SMTP, but a local account is needed for IMAP; POP3 data integrity may also be compromised [2]. The attack can lead to leakage of sensitive information such as user credentials [2].
Successful exploitation can result in credential disclosure and potential data integrity issues across protocols [2]. The vulnerability is tracked as JAMES-1862 [2].
Mitigation involves upgrading to Apache James 3.7.1 or 3.6.3, which include the fix [2][4]. No workarounds have been provided [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.james:james-serverMaven | < 3.6.3 | 3.6.3 |
org.apache.james:james-serverMaven | >= 3.7.0, < 3.7.1 | 3.7.1 |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/keycloakpkg:apk/chainguard/keycloak-bitnami-compatpkg:apk/chainguard/keycloak-compatpkg:apk/chainguard/keycloak-iamguarded-compatpkg:apk/wolfi/keycloakpkg:apk/wolfi/keycloak-bitnami-compatpkg:apk/wolfi/keycloak-compatpkg:apk/wolfi/keycloak-iamguarded-compatpkg:maven/org.apache.james/james-server
< 0+ 8 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.6.3
- Apache Software Foundation/Apache Jamesv5Range: Apache James
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-w45j-f5g5-w94xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28220ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/09/20/1ghsamailing-listx_refsource_MLISTWEB
- james.apache.org/james/update/2022/08/26/james-3.7.1.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.