CVE-2024-37358 – org.apache.james.protocols:protocols-imap

Package

Manager: maven
Name: org.apache.james.protocols:protocols-imap
Vulnerable Version: >=0 <3.7.6 || >=3.8.0 <3.8.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00862 pctl0.74206

Details

Apache James vulnerable to denial of service through the use of IMAP literals Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

Metadata

Created: 2025-02-06T12:31:58Z
Modified: 2025-02-06T19:01:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-56jp-w6vw-j3jw/GHSA-56jp-w6vw-j3jw.json
CWE IDs: ["CWE-20", "CWE-400", "CWE-770"]
Alternative ID: GHSA-56jp-w6vw-j3jw
Finding: F002
Auto approve: 1