CVE-2022-28220: 
Java vulnerability analysis and mitigation

CVE-2022-28220 is a STARTTLS command injection vulnerability discovered in Apache JAMES (Java Apache Mail Enterprise Server). The vulnerability affects Apache James versions prior to releases 3.6.3 and 3.7.1. This security issue was identified as a follow-up to a previous vulnerability (CVE-2021-38542), where the implemented fix was found to be incomplete due to parser differential issues and concurrent request handling problems (Apache James, Openwall).

The vulnerability is related to a buffering attack that exploits the STARTTLS command implementation. The issue stems from parser differential problems and inadequate handling of concurrent requests, which remained unaddressed in the fix for the previous CVE-2021-38542. This vulnerability is being tracked internally as JAMES-1862 (Openwall).

The vulnerability can lead to Man-in-the-middle command injection attacks, potentially resulting in the leakage of sensitive information including user credentials. While exploitation through IMAP requires a local account, SMTP exploitation does not have this requirement. Additionally, data integrity could be compromised in POP3 services (Openwall).

The recommended mitigation is to upgrade to Apache James version 3.7.1 or 3.6.3, which contain the necessary security fixes (Openwall).