cvelistv5 - CVE-2022-45935

CVE-2022-45935 (GCVE-0-2022-45935)

Vulnerability from cvelistv5 – Published: 2023-01-06 09:33 – Updated: 2025-04-10 13:35

Summary

Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.

Severity ?

No CVSS data available.

CWE

CWE-668 - Exposure of Resource to Wrong Sphere

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/j61fo8xc1rxtofrn8…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache James server	Affected: 0 , ≤ 3.7.2 (semver)

Credits

Benoit Tellier

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T14:24:03.215Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-45935",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-10T13:35:27.107323Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-10T13:35:31.647Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache James server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.7.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Benoit Tellier"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \u003cbr\u003e\u003cbr\u003eVulnerable components includes the SMTP stack and IMAP APPEND command.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache James server version 3.7.2 and prior versions."
            }
          ],
          "value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668 Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-12T10:18:19.197Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache James server: Temporary File Information Disclosure",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-45935",
    "datePublished": "2023-01-06T09:33:30.150Z",
    "dateReserved": "2022-11-27T08:53:19.892Z",
    "dateUpdated": "2025-04-10T13:35:31.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"3.7.2\", \"matchCriteriaId\": \"F0C5B5CE-7844-48F0-A791-3823B74B4F1A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \\n\\nVulnerable components includes the SMTP stack and IMAP APPEND command.\\n\\nThis issue affects Apache James server version 3.7.2 and prior versions.\"}, {\"lang\": \"es\", \"value\": \"El uso de archivos temporales con permisos inseguros por parte del servidor Apache James permite a un atacante con acceso local acceder a datos privados del usuario en tr\\u00e1nsito. Los componentes vulnerables incluyen la pila SMTP y el comando IMAP APPEND. Este problema afecta al servidor Apache James versi\\u00f3n 3.7.2 y versiones anteriores.\"}]",
      "id": "CVE-2022-45935",
      "lastModified": "2024-11-21T07:29:59.833",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2023-01-06T10:15:10.447",
      "references": "[{\"url\": \"https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-668\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-668\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-45935\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2023-01-06T10:15:10.447\",\"lastModified\":\"2025-04-10T14:15:24.033\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \\n\\nVulnerable components includes the SMTP stack and IMAP APPEND command.\\n\\nThis issue affects Apache James server version 3.7.2 and prior versions.\"},{\"lang\":\"es\",\"value\":\"El uso de archivos temporales con permisos inseguros por parte del servidor Apache James permite a un atacante con acceso local acceder a datos privados del usuario en tr\u00e1nsito. Los componentes vulnerables incluyen la pila SMTP y el comando IMAP APPEND. Este problema afecta al servidor Apache James versi\u00f3n 3.7.2 y versiones anteriores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.7.2\",\"matchCriteriaId\":\"F0C5B5CE-7844-48F0-A791-3823B74B4F1A\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"product\": \"Apache James server\", \"vendor\": \"Apache Software Foundation\", \"versions\": [{\"lessThanOrEqual\": \"3.7.2\", \"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\"}]}], \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Benoit Tellier\"}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \u003cbr\u003e\u003cbr\u003eVulnerable components includes the SMTP stack and IMAP APPEND command.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache James server version 3.7.2 and prior versions.\"}], \"value\": \"Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \\n\\nVulnerable components includes the SMTP stack and IMAP APPEND command.\\n\\nThis issue affects Apache James server version 3.7.2 and prior versions.\"}], \"metrics\": [{\"other\": {\"content\": {\"text\": \"low\"}, \"type\": \"Textual description of severity\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-668\", \"description\": \"CWE-668 Exposure of Resource to Wrong Sphere\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2023-07-12T10:18:19.197Z\"}, \"references\": [{\"tags\": [\"vendor-advisory\"], \"url\": \"https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"title\": \"Apache James server: Temporary File Information Disclosure\", \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T14:24:03.215Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"vendor-advisory\", \"x_transferred\"], \"url\": \"https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-45935\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-10T13:35:27.107323Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-10T13:35:18.465Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-45935\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"apache\", \"dateReserved\": \"2022-11-27T08:53:19.892Z\", \"datePublished\": \"2023-01-06T09:33:30.150Z\", \"dateUpdated\": \"2025-04-10T13:35:31.647Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-V6VP-62VC-84QW

Vulnerability from github – Published: 2023-01-06 12:31 – Updated: 2023-01-12 16:48

Summary

Apache James server allows an attacker with local access to access private user data in transit

Details

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.james:james-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-45935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-319",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T20:12:10Z",
    "nvd_published_at": "2023-01-06T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.",
  "id": "GHSA-v6vp-62vc-84qw",
  "modified": "2023-01-12T16:48:58Z",
  "published": "2023-01-06T12:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45935"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/james-project/commit/b5580d13d6c74ecbf647127eff1a3ac1086f5493"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/james-project"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache James server allows an attacker with local access to access private user data in transit"
}

FKIE_CVE-2022-45935

Vulnerability from fkie_nvd - Published: 2023-01-06 10:15 - Updated: 2025-04-10 14:15

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security@apache.org	https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d	Mailing List, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	james	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0C5B5CE-7844-48F0-A791-3823B74B4F1A",
              "versionEndIncluding": "3.7.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."
    },
    {
      "lang": "es",
      "value": "El uso de archivos temporales con permisos inseguros por parte del servidor Apache James permite a un atacante con acceso local acceder a datos privados del usuario en tr\u00e1nsito. Los componentes vulnerables incluyen la pila SMTP y el comando IMAP APPEND. Este problema afecta al servidor Apache James versi\u00f3n 3.7.2 y versiones anteriores."
    }
  ],
  "id": "CVE-2022-45935",
  "lastModified": "2025-04-10T14:15:24.033",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-01-06T10:15:10.447",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-668"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-668"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

GSD-2022-45935

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-45935

Aliases

CVE-2022-45935

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-45935",
    "description": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.",
    "id": "GSD-2022-45935"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-45935"
      ],
      "details": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions.",
      "id": "GSD-2022-45935",
      "modified": "2023-12-13T01:19:24.523935Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2022-45935",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache James server",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "0",
                          "version_value": "3.7.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "Benoit Tellier"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-668",
                "lang": "eng",
                "value": "CWE-668 Exposure of Resource to Wrong Sphere"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,3.7.2]",
          "affected_versions": "All versions up to 3.7.2",
          "cwe_ids": [
            "CWE-1035",
            "CWE-200",
            "CWE-937"
          ],
          "date": "2023-01-09",
          "description": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.",
          "fixed_versions": [],
          "identifier": "CVE-2022-45935",
          "identifiers": [
            "GHSA-v6vp-62vc-84qw",
            "CVE-2022-45935"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.apache.james/james-server",
          "pubdate": "2023-01-06",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Exposure of Sensitive Information to an Unauthorized Actor",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-45935",
            "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d",
            "https://github.com/apache/james-project/commit/b5580d13d6c74ecbf647127eff1a3ac1086f5493",
            "https://github.com/advisories/GHSA-v6vp-62vc-84qw"
          ],
          "uuid": "708dc032-9fc6-4653-a2a6-d9bb849311e5"
        },
        {
          "affected_range": "(,3.7.2]",
          "affected_versions": "All versions up to 3.7.2",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-668",
            "CWE-937"
          ],
          "date": "2023-07-12",
          "description": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.",
          "fixed_versions": [],
          "identifier": "CVE-2022-45935",
          "identifiers": [
            "CVE-2022-45935"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.jamesframework/james",
          "pubdate": "2023-01-06",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Cleartext Transmission of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-45935",
            "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
          ],
          "uuid": "bc6aaa85-d9cb-4fa4-b93f-9928613fed2a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.7.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-45935"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-668"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-07-12T11:15Z",
      "publishedDate": "2023-01-06T10:15Z"
    }
  }
}

VAR-202301-0613

Vulnerability from variot - Updated: 2023-12-18 12:25

Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.

Vulnerable components includes the SMTP stack and IMAP APPEND command.

This issue affects Apache James server version 3.7.2 and prior versions

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202301-0613",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "james",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "apache",
        "version": "3.7.2"
      },
      {
        "model": "james",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "apache",
        "version": "3.7.2  and earlier"
      },
      {
        "model": "james",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apache",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-001783"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-45935"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.7.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-45935"
      }
    ]
  },
  "cve": "CVE-2022-45935",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.8,
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Local",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 5.5,
            "baseSeverity": "Medium",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2022-45935",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2022-45935",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202301-445",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-001783"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-45935"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202301-445"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command. \n\nThis issue affects Apache James server version 3.7.2 and prior versions",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-45935"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-001783"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-45935"
      }
    ],
    "trust": 1.71
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2022-45935",
        "trust": 3.3
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-001783",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202301-445",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-45935",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2022-45935"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-001783"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-45935"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202301-445"
      }
    ]
  },
  "id": "VAR-202301-0613",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.2536232
  },
  "last_update_date": "2023-12-18T12:25:37.219000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Temporary\u00a0File\u00a0Information\u00a0Disclosure",
        "trust": 0.8,
        "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
      },
      {
        "title": "Apache James Repair measures for information disclosure vulnerabilities",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=220229"
      },
      {
        "title": "Red Hat: ",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=cve-2022-45935"
      },
      {
        "title": "",
        "trust": 0.1,
        "url": "https://github.com/live-hack-cve/cve-2022-45935 "
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2022-45935"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-001783"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202301-445"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-668",
        "trust": 1.0
      },
      {
        "problemtype": "Sending important information in clear text (CWE-319) [NVD evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-001783"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-45935"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-45935"
      },
      {
        "trust": 0.7,
        "url": "https://access.redhat.com/security/cve/cve-2022-45935"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/cveshow/cve-2022-45935/"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/200.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/live-hack-cve/cve-2022-45935"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2022-45935"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-001783"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-45935"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202301-445"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2022-45935"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-001783"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-45935"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202301-445"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-01-06T00:00:00",
        "db": "VULMON",
        "id": "CVE-2022-45935"
      },
      {
        "date": "2023-05-11T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2023-001783"
      },
      {
        "date": "2023-01-06T10:15:10.447000",
        "db": "NVD",
        "id": "CVE-2022-45935"
      },
      {
        "date": "2023-01-06T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202301-445"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-01-06T00:00:00",
        "db": "VULMON",
        "id": "CVE-2022-45935"
      },
      {
        "date": "2023-05-11T02:36:00",
        "db": "JVNDB",
        "id": "JVNDB-2023-001783"
      },
      {
        "date": "2023-07-12T11:15:09.623000",
        "db": "NVD",
        "id": "CVE-2022-45935"
      },
      {
        "date": "2023-07-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202301-445"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202301-445"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apache\u00a0James\u00a0 Vulnerability related to transmission of important information in plaintext in server",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-001783"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "information disclosure",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202301-445"
      }
    ],
    "trust": 0.6
  }
}

CNVD-2023-05222

Vulnerability from cnvd - Published: 2023-01-30

Title

Apache James信息泄露漏洞

Description

Apache James是美国阿帕奇（Apache）基金会的一个完全用Java编写的开源Smtp和Pop3 邮件传输代理和Nntp新闻服务器。 Apache James server存在信息泄露漏洞，该漏洞源于其使用具有不安全权限的临时文件，具有本地访问权限的攻击者可利用该漏洞访问传输中的私有用户数据。

Severity

中

Patch Name

Apache James信息泄露漏洞的补丁

Patch Description

Apache James是美国阿帕奇（Apache）基金会的一个完全用Java编写的开源Smtp和Pop3 邮件传输代理和Nntp新闻服务器。 Apache James server存在信息泄露漏洞，该漏洞源于其使用具有不安全权限的临时文件，具有本地访问权限的攻击者可利用该漏洞访问传输中的私有用户数据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-45935

Impacted products

Name
Apache James <=3.7.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-45935",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-45935"
    }
  },
  "description": "Apache James\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5b8c\u5168\u7528Java\u7f16\u5199\u7684\u5f00\u6e90Smtp\u548cPop3 \u90ae\u4ef6\u4f20\u8f93\u4ee3\u7406\u548cNntp\u65b0\u95fb\u670d\u52a1\u5668\u3002\n\nApache James server\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5176\u4f7f\u7528\u5177\u6709\u4e0d\u5b89\u5168\u6743\u9650\u7684\u4e34\u65f6\u6587\u4ef6\uff0c\u5177\u6709\u672c\u5730\u8bbf\u95ee\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4f20\u8f93\u4e2d\u7684\u79c1\u6709\u7528\u6237\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-05222",
  "openTime": "2023-01-30",
  "patchDescription": "Apache James\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5b8c\u5168\u7528Java\u7f16\u5199\u7684\u5f00\u6e90Smtp\u548cPop3 \u90ae\u4ef6\u4f20\u8f93\u4ee3\u7406\u548cNntp\u65b0\u95fb\u670d\u52a1\u5668\u3002\r\n\r\nApache James server\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5176\u4f7f\u7528\u5177\u6709\u4e0d\u5b89\u5168\u6743\u9650\u7684\u4e34\u65f6\u6587\u4ef6\uff0c\u5177\u6709\u672c\u5730\u8bbf\u95ee\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4f20\u8f93\u4e2d\u7684\u79c1\u6709\u7528\u6237\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache James\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache James \u003c=3.7.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-45935",
  "serverity": "\u4e2d",
  "submitTime": "2023-01-11",
  "title": "Apache James\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-45935 (GCVE-0-2022-45935)

GHSA-V6VP-62VC-84QW

FKIE_CVE-2022-45935

GSD-2022-45935

VAR-202301-0613

CNVD-2023-05222

Tags

Sightings

Nomenclature