Lucene search

GitHub Advisory DatabaseGHSA-V6VP-62VC-84QW

HistoryJan 06, 2023 - 12:31 p.m.

Apache James server allows an attacker with local access to access private user data in transit

2023-01-0612:31:34

CWE-200

CWE-319

CWE-668

GitHub Advisory Database

github.com

apache james

insecure permissions

private user data

smtp stack

imap append command

version 3.7.2

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

5.1%

JSON

Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.

Affected configurations

Vulners

Node

org.apache.james\jamesMatchserver

CPENameOperatorVersion
org.apache.james:james-serverle3.7.2

CPE	Name	Operator	Version
	org.apache.james:james-server	le	3.7.2

References

github.com/advisories/GHSA-v6vp-62vc-84qw

github.com/apache/james-project/commit/b5580d13d6c74ecbf647127eff1a3ac1086f5493

lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d

nvd.nist.gov/vuln/detail/CVE-2022-45935

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for GHSA-V6VP-62VC-84QW