github - ghsa-v6vp-62vc-84qw

ghsa-v6vp-62vc-84qw

Vulnerability from github

Published

2023-01-06 12:31

Modified

2023-01-12 16:48

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

Apache James server allows an attacker with local access to access private user data in transit

Details

Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.james:james-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-45935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-319",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T20:12:10Z",
    "nvd_published_at": "2023-01-06T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.",
  "id": "GHSA-v6vp-62vc-84qw",
  "modified": "2023-01-12T16:48:58Z",
  "published": "2023-01-06T12:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45935"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/james-project/commit/b5580d13d6c74ecbf647127eff1a3ac1086f5493"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/james-project"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache James server allows an attacker with local access to access private user data in transit"
}

cve-2022-45935

Vulnerability from cvelistv5

Published

2023-01-06 09:33

Modified

2024-08-03 14:24

Severity ?

Summary

References

▼	URL	Tags
	https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d	vendor-advisory

Impacted products

Vendor

Product

Version

▼

Apache Software Foundation

Apache James server

Version: 0 ≤ 3.7.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T14:24:03.215Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache James server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.7.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Benoit Tellier"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \u003cbr\u003e\u003cbr\u003eVulnerable components includes the SMTP stack and IMAP APPEND command.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache James server version 3.7.2 and prior versions."
            }
          ],
          "value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668 Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-12T10:18:19.197Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache James server: Temporary File Information Disclosure",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-45935",
    "datePublished": "2023-01-06T09:33:30.150Z",
    "dateReserved": "2022-11-27T08:53:19.892Z",
    "dateUpdated": "2024-08-03T14:24:03.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted