CVE-2022-45935

CWE-668 — Exposure to Wrong Sphere CWE-200 — Information Exposure CWE-319 — Cleartext Transmission5 documents5 sources

Severity

5.5MEDIUM

EPSS

0.1%

top 68.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache James Server Apache James

Timeline

PublishedJan 6

Description

Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.james:james-server3.7.2

▶CVEListV5apache_software_foundation/apache_james_server3.7.2

▶NVDapache/james3.7.2

🔴Vulnerability Details

CVEList

Apache James server: Temporary File Information Disclosure↗2023-01-06

▶

OSV

Apache James server allows an attacker with local access to access private user data in transit↗2023-01-06

▶

GHSA

Apache James server allows an attacker with local access to access private user data in transit↗2023-01-06

▶

📋Vendor Advisories

Red Hat

apache-james: Temporary File Information Disclosure↗2023-01-06

▶