Apache James is vulnerable to command injection attacks. The vulnerability exists because of parser differential for IMAP STARTTLS
which does not take into account concurrent requests which allows an attacker to inject and execute arbitrary commands.