Hello Benoit, thanks for the reply. Looking more into this, these CVEs don't mention Log4j. They sound more like mail server stuff: - CVE-2021-38542 " Apache James vulnerable to STARTTLS command injection (IMAP and POP3)" - CVE-2021-40110 "Apache James IMAP vulnerable to a ReDoS" - CVE-2021-40111 "Apache James IMAP parsing Denial Of Service" - CVE-2021-40525 "Apache James: Sieve file storage vulnerable to path traversal attacks"
But I'm unsure if they affect only the Apache James mail server or extend to Mime4J as well. Best regards, Arend Am Do., 10. Feb. 2022 um 22:16 Uhr schrieb Arend v. Reinersdorff < ar...@arendvr.com>: > Hello, > > the Maven Dependency Check plugin reports a number of CVEs for > apache-mime4j-core-0.8.4.jar: > - CVE-2021-38542 > - CVE-2021-40110 > - CVE-2021-40111 > - CVE-2021-40525 > > These were recently fixed in Apache James 3.6.1: > https://james.apache.org/james/update/2021/12/02/james-3.6.1.html > > But I'm not sure how this relates to Mime4J. Is Mime4J still affected or > are the reports false positives? > > Best regards, > Arend > >
