CVE-2024-37358

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:james_server::::::::
	cpe:2.3:a:apache:james_server::::::::

History

No history.

Information

Published : 2025-02-06 12:15

Updated : 2025-09-29 21:43

NVD link : CVE-2024-37358

Mitre link : CVE-2024-37358

CVE.ORG link : CVE-2024-37358

JSON object : View

Products Affected

apache

james_server

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2024-37358", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-02-06T12:15:26.343", "references": [{"url": "https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc", "tags": ["Mailing List", "Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-770"}]}, {"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations\n\nVersion 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals."}, {"lang": "es", "value": "De manera similar a CVE-2024-34055, Apache James es vulnerable a la denegaci\u00f3n de servicio a trav\u00e9s del abuso de literales IMAP de usuarios autenticados y no autenticados, lo que podr\u00eda usarse para provocar una asignaci\u00f3n de memoria ilimitada y c\u00e1lculos muy largos. Las versiones 3.7.6 y 3.8.2 restringen dicho uso ileg\u00edtimo de literales IMAP."}], "lastModified": "2025-09-29T21:43:42.117", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A9CB5A9-4168-4D9F-9546-99CDB5AD0730", "versionEndExcluding": "3.7.6"}, {"criteria": "cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D6FC57E-541E-4FDB-8EF1-A62461E8F921", "versionEndExcluding": "3.8.2", "versionStartIncluding": "3.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}