CVE-2024-37358

CWE-770 — Allocation without Limits CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption4 documents4 sources

Severity

7.5HIGH

EPSS

0.8%

top 26.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache James Server Apache Software Foundation Apache James Server

Timeline

PublishedFeb 6

Description

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages3 packages

▶Mavenorg.apache.james.protocols:protocols-imap3.8.0 — 3.8.2+1

▶NVDapache/james_server3.8.0 — 3.8.2+1

▶CVEListV5apache_software_foundation/apache_james_server3.8.0 — 3.8.1+1

🔴Vulnerability Details

GHSA

Apache James vulnerable to denial of service through the use of IMAP literals↗2025-02-06

▶

OSV

Apache James vulnerable to denial of service through the use of IMAP literals↗2025-02-06

▶

CVEList

Apache James: denial of service through the use of IMAP literals↗2025-02-06

▶