CVE-2024-37358

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-37358

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37358.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-37358

Aliases

GHSA-56jp-w6vw-j3jw

Published

2025-02-06T12:15:26.343Z

Modified

2026-04-10T05:14:09.308793Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations

Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

References

https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc

Affected packages

Git / github.com/apache/james-project

Affected ranges

Type

GIT

Repo

https://github.com/apache/james-project

Events

Introduced

Fixed

562324e2ffdb7992952777dc92f62c7b8c197393

Introduced

b967e3640f35822fd56c794b874f795442778be5

Fixed

8d0e75ff1de1e378c853f9d5075d6ffe1ce9446a

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.7.6"
        },
        {
            "introduced": "3.8.0"
        },
        {
            "fixed": "3.8.2"
        }
    ]
}

Affected versions

Other

cassandra_migration_v1_to_v2

james-project-3.*

james-project-3.0-beta5

james-project-3.0.0

james-project-3.0.0-RC1

james-project-3.0.0-beta5

james-project-3.3.0

james-project-3.4.0

james-project-3.7.0

james-project-3.7.1

james-project-3.7.2

james-project-3.7.3

james-project-3.7.4

james-project-3.7.5

james-project-3.8.0

james-project-3.8.1

pre-3.*

pre-3.1.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37358.json"