Threat model described by the James community fully applies.
Best practices described by the James community fully applies.
Twake Mail allow one user to encrypt his email at REST with PGP keys. Read more…
Prior 0.4.3 release an authenticated user could perform server side request forgery by using JMAP PUSH subscriptions.
Mitigation: Upgrade to Twake Mail server version 0.4.3. Strict firewalling of your internal network could also be viable.
Prior 0.4.3 release TMail is subject to CVE-2021-38542, allowing man in the middle attacks that could result in STARTTLS command injection for the IMAP protocol.
Mitigation: Upgrade to Twake Mail server version 0.4.1.
Using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression.
This affected Twake Mail prior to 0.4.1.
Mitigation: Upgrade to Twake Mail server version 0.4.1.
While fuzzing with Jazzer the IMAP parsing stack we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability.
This affected Twake Mail prior to 0.4.1.
Mitigation: Upgrade to Twake Mail server version 0.4.1.
To ensure safety of our users, security process needs to happen privately.
Here are the steps:
-
1. Reporter email the issues privately to
openpaas-james[AT]linagora.com. -
2. We will then evaluate the validity of your report, and write back to you, and write back to you within two weeks. This response time accounts for vacation and will generally be quicker.
-
3. We will propose a fix that we will review with you.
-
4. We will propose a draft for the announcement that we will review with you.
-
4. We will propose you a schedule for the release and the announcements.
You will be credited in the vulnerability report for your findings.