search

mguessan / davmail

DavMail POP/IMAP/SMTP/Caldav/Carddav/LDAP Exchange and Office 365 Gateway - Synced with main subversion repository at
http://davmail.sourceforge.net
GNU General Public License v2.0
580 stars 86 forks source link

CVE-2022-23305 & CVE-2022-23302 #250

Closed manopandey closed 2 years ago

manopandey commented 2 years ago

Hi I would like to check if JDBCAppender and JMSSink classes are used in DavMail ? These are affected by CVE-2022-23305 & CVE-2022-23302. Thank you

mguessan commented 2 years ago

DavMail only uses the console and rolling file appenders. In addition we now strip the vulnerable appenders from Log4J jars in packaged application.

Thus DavMail should not be impacted by those new CVEs

mguessan commented 2 years ago

Excluded additional files from packaged application. Next step would be to get rid of Log4J completely