CVE-2024-37358

Published: Feb 6, 2025Modified: Sep 29, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

Affected (2)

Products: Apache: James Server

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache James Server	Before 3.7.6
Apache James Server	From 3.8.0 to 3.8.2

Related CWEs

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (1)

https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc

Source: security@apache.org

Mailing ListVendor Advisory

Timeline

No history available yet.