Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities found for james_server by apache
CVE-2024-37358 (GCVE-0-2024-37358)
Vulnerability from cvelistv5 – Published: 2025-02-06 11:22 – Updated: 2025-09-01 09:40
VLAI
Title
Apache James: denial of service through the use of IMAP literals
Summary
Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations
Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/1pxsh11v5s3fkvhnq… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
0 , ≤ 3.7.5
(semver)
Affected: 3.8.0 , ≤ 3.8.1 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T13:57:35.810182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:51:10.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://james.apache.org/",
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.8.1",
"status": "affected",
"version": "3.8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Xavier GUIMARD"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benoit TELLIER"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations\u003cbr\u003e\u003cbr\u003eVersion 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.\u003cbr\u003e"
}
],
"value": "Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations\n\nVersion 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-01T09:40:18.781Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache James: denial of service through the use of IMAP literals",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-37358",
"datePublished": "2025-02-06T11:22:38.260Z",
"dateReserved": "2024-06-06T07:07:32.731Z",
"dateUpdated": "2025-09-01T09:40:18.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45626 (GCVE-0-2024-45626)
Vulnerability from cvelistv5 – Published: 2025-02-06 11:21 – Updated: 2025-02-12 19:51
VLAI
Title
Apache James: denial of service through JMAP HTML to text conversion
Summary
Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.
Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
3.8.0 , ≤ 3.8.1
(maven)
Affected: 0 , ≤ 3.7.5 (maven) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-02-06T12:04:25.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/05/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T13:59:06.290280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:51:10.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.8.1",
"status": "affected",
"version": "3.8.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.7.5",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Benoit TELLIER"
},
{
"lang": "en",
"type": "finder",
"value": "Wojciech Kapcia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue."
}
],
"value": "Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.\n\nUsers are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T11:21:12.417Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache James: denial of service through JMAP HTML to text conversion",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45626",
"datePublished": "2025-02-06T11:21:12.417Z",
"dateReserved": "2024-09-03T08:43:52.113Z",
"dateUpdated": "2025-02-12T19:51:10.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12628 (GCVE-0-2017-12628)
Vulnerability from cvelistv5 – Published: 2017-10-20 15:00 – Updated: 2024-08-05 18:43
VLAI
Summary
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library.
Severity
No CVSS data available.
CWE
- Privilege escalation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.mail-archive.com/server-user%40james.… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/101532 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache James |
Affected:
3.0.0
|
Date Public
2017-10-19 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[server-user] 20171019 Announce: Apache James 3.0.1 security release",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html"
},
{
"name": "101532",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101532"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache James",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.0.0"
}
]
}
],
"datePublic": "2017-10-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Privilege escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-24T09:57:02.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[server-user] 20171019 Announce: Apache James 3.0.1 security release",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html"
},
{
"name": "101532",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101532"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-12628",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache James",
"version": {
"version_data": [
{
"version_value": "3.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Privilege escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[server-user] 20171019 Announce: Apache James 3.0.1 security release",
"refsource": "MLIST",
"url": "https://www.mail-archive.com/server-user@james.apache.org/msg15633.html"
},
{
"name": "101532",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101532"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-12628",
"datePublished": "2017-10-20T15:00:00.000Z",
"dateReserved": "2017-08-07T00:00:00.000Z",
"dateUpdated": "2024-08-05T18:43:56.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7611 (GCVE-0-2015-7611)
Vulnerability from cvelistv5 – Published: 2016-06-07 14:00 – Updated: 2024-08-06 07:51
VLAI
Summary
Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/archive/1/536575/100… | mailing-listx_refsource_BUGTRAQ |
| http://www.openwall.com/lists/oss-security/2015/10/01/2 | mailing-listx_refsource_MLIST |
| http://packetstormsecurity.com/files/133798/Apach… | x_refsource_MISC |
| https://blogs.apache.org/james/entry/apache_james… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2015/09/30/7 | mailing-listx_refsource_MLIST |
| http://packetstormsecurity.com/files/156463/Apach… | x_refsource_MISC |
Date Public
2015-09-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150930 Apache James Server 2.3.2 security vulnerability fixed",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536575/100/0/threaded"
},
{
"name": "[oss-security] 20151001 Re: Apache James Server 2.3.2 security vulnerability fixed VU#988628",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/10/01/2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133798/Apache-James-Server-2.3.2-Arbitrary-Command-Execution.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.apache.org/james/entry/apache_james_server_2_3"
},
{
"name": "[oss-security] 20150930 Apache James Server 2.3.2 security vulnerability fixed",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/156463/Apache-James-Server-2.3.2-Insecure-User-Creation-Arbitrary-File-Write.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-20T22:06:05.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150930 Apache James Server 2.3.2 security vulnerability fixed",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536575/100/0/threaded"
},
{
"name": "[oss-security] 20151001 Re: Apache James Server 2.3.2 security vulnerability fixed VU#988628",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/10/01/2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133798/Apache-James-Server-2.3.2-Arbitrary-Command-Execution.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.apache.org/james/entry/apache_james_server_2_3"
},
{
"name": "[oss-security] 20150930 Apache James Server 2.3.2 security vulnerability fixed",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/156463/Apache-James-Server-2.3.2-Insecure-User-Creation-Arbitrary-File-Write.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7611",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150930 Apache James Server 2.3.2 security vulnerability fixed",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536575/100/0/threaded"
},
{
"name": "[oss-security] 20151001 Re: Apache James Server 2.3.2 security vulnerability fixed VU#988628",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/10/01/2"
},
{
"name": "http://packetstormsecurity.com/files/133798/Apache-James-Server-2.3.2-Arbitrary-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133798/Apache-James-Server-2.3.2-Arbitrary-Command-Execution.html"
},
{
"name": "https://blogs.apache.org/james/entry/apache_james_server_2_3",
"refsource": "CONFIRM",
"url": "https://blogs.apache.org/james/entry/apache_james_server_2_3"
},
{
"name": "[oss-security] 20150930 Apache James Server 2.3.2 security vulnerability fixed",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/7"
},
{
"name": "http://packetstormsecurity.com/files/156463/Apache-James-Server-2.3.2-Insecure-User-Creation-Arbitrary-File-Write.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/156463/Apache-James-Server-2.3.2-Insecure-User-Creation-Arbitrary-File-Write.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7611",
"datePublished": "2016-06-07T14:00:00.000Z",
"dateReserved": "2015-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-06T07:51:28.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37358 (GCVE-0-2024-37358)
Vulnerability from nvd – Published: 2025-02-06 11:22 – Updated: 2025-09-01 09:40
VLAI
Title
Apache James: denial of service through the use of IMAP literals
Summary
Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations
Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/1pxsh11v5s3fkvhnq… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
0 , ≤ 3.7.5
(semver)
Affected: 3.8.0 , ≤ 3.8.1 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T13:57:35.810182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:51:10.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://james.apache.org/",
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.7.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.8.1",
"status": "affected",
"version": "3.8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Xavier GUIMARD"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benoit TELLIER"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations\u003cbr\u003e\u003cbr\u003eVersion 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.\u003cbr\u003e"
}
],
"value": "Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations\n\nVersion 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-01T09:40:18.781Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache James: denial of service through the use of IMAP literals",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-37358",
"datePublished": "2025-02-06T11:22:38.260Z",
"dateReserved": "2024-06-06T07:07:32.731Z",
"dateUpdated": "2025-09-01T09:40:18.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45626 (GCVE-0-2024-45626)
Vulnerability from nvd – Published: 2025-02-06 11:21 – Updated: 2025-02-12 19:51
VLAI
Title
Apache James: denial of service through JMAP HTML to text conversion
Summary
Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.
Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache James server |
Affected:
3.8.0 , ≤ 3.8.1
(maven)
Affected: 0 , ≤ 3.7.5 (maven) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-02-06T12:04:25.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/05/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T13:59:06.290280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:51:10.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache James server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.8.1",
"status": "affected",
"version": "3.8.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.7.5",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Benoit TELLIER"
},
{
"lang": "en",
"type": "finder",
"value": "Wojciech Kapcia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue."
}
],
"value": "Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.\n\nUsers are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T11:21:12.417Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache James: denial of service through JMAP HTML to text conversion",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45626",
"datePublished": "2025-02-06T11:21:12.417Z",
"dateReserved": "2024-09-03T08:43:52.113Z",
"dateUpdated": "2025-02-12T19:51:10.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12628 (GCVE-0-2017-12628)
Vulnerability from nvd – Published: 2017-10-20 15:00 – Updated: 2024-08-05 18:43
VLAI
Summary
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library.
Severity
No CVSS data available.
CWE
- Privilege escalation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.mail-archive.com/server-user%40james.… | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/101532 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache James |
Affected:
3.0.0
|
Date Public
2017-10-19 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[server-user] 20171019 Announce: Apache James 3.0.1 security release",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html"
},
{
"name": "101532",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101532"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache James",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.0.0"
}
]
}
],
"datePublic": "2017-10-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Privilege escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-24T09:57:02.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[server-user] 20171019 Announce: Apache James 3.0.1 security release",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html"
},
{
"name": "101532",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101532"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-12628",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache James",
"version": {
"version_data": [
{
"version_value": "3.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Privilege escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[server-user] 20171019 Announce: Apache James 3.0.1 security release",
"refsource": "MLIST",
"url": "https://www.mail-archive.com/server-user@james.apache.org/msg15633.html"
},
{
"name": "101532",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101532"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-12628",
"datePublished": "2017-10-20T15:00:00.000Z",
"dateReserved": "2017-08-07T00:00:00.000Z",
"dateUpdated": "2024-08-05T18:43:56.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7611 (GCVE-0-2015-7611)
Vulnerability from nvd – Published: 2016-06-07 14:00 – Updated: 2024-08-06 07:51
VLAI
Summary
Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/archive/1/536575/100… | mailing-listx_refsource_BUGTRAQ |
| http://www.openwall.com/lists/oss-security/2015/10/01/2 | mailing-listx_refsource_MLIST |
| http://packetstormsecurity.com/files/133798/Apach… | x_refsource_MISC |
| https://blogs.apache.org/james/entry/apache_james… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2015/09/30/7 | mailing-listx_refsource_MLIST |
| http://packetstormsecurity.com/files/156463/Apach… | x_refsource_MISC |
Date Public
2015-09-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150930 Apache James Server 2.3.2 security vulnerability fixed",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536575/100/0/threaded"
},
{
"name": "[oss-security] 20151001 Re: Apache James Server 2.3.2 security vulnerability fixed VU#988628",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/10/01/2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133798/Apache-James-Server-2.3.2-Arbitrary-Command-Execution.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.apache.org/james/entry/apache_james_server_2_3"
},
{
"name": "[oss-security] 20150930 Apache James Server 2.3.2 security vulnerability fixed",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/156463/Apache-James-Server-2.3.2-Insecure-User-Creation-Arbitrary-File-Write.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-20T22:06:05.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150930 Apache James Server 2.3.2 security vulnerability fixed",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536575/100/0/threaded"
},
{
"name": "[oss-security] 20151001 Re: Apache James Server 2.3.2 security vulnerability fixed VU#988628",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/10/01/2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133798/Apache-James-Server-2.3.2-Arbitrary-Command-Execution.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.apache.org/james/entry/apache_james_server_2_3"
},
{
"name": "[oss-security] 20150930 Apache James Server 2.3.2 security vulnerability fixed",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/156463/Apache-James-Server-2.3.2-Insecure-User-Creation-Arbitrary-File-Write.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7611",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150930 Apache James Server 2.3.2 security vulnerability fixed",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536575/100/0/threaded"
},
{
"name": "[oss-security] 20151001 Re: Apache James Server 2.3.2 security vulnerability fixed VU#988628",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/10/01/2"
},
{
"name": "http://packetstormsecurity.com/files/133798/Apache-James-Server-2.3.2-Arbitrary-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133798/Apache-James-Server-2.3.2-Arbitrary-Command-Execution.html"
},
{
"name": "https://blogs.apache.org/james/entry/apache_james_server_2_3",
"refsource": "CONFIRM",
"url": "https://blogs.apache.org/james/entry/apache_james_server_2_3"
},
{
"name": "[oss-security] 20150930 Apache James Server 2.3.2 security vulnerability fixed",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/09/30/7"
},
{
"name": "http://packetstormsecurity.com/files/156463/Apache-James-Server-2.3.2-Insecure-User-Creation-Arbitrary-File-Write.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/156463/Apache-James-Server-2.3.2-Insecure-User-Creation-Arbitrary-File-Write.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7611",
"datePublished": "2016-06-07T14:00:00.000Z",
"dateReserved": "2015-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-06T07:51:28.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}