James Server@* Security Vulnerabilities and Issues — James Server@* CVE List

Lucene search

ApacheJames Server*

7 matches found

CVE•added 2024/02/27 2:15 p.m.•5845 views

CVE-2023-51747

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to byp...

7.1CVSS6.8AI score0.00246EPSS

CVE•added 2024/02/27 9:15 a.m.•4112 views

CVE-2023-51518

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.Note that by default JMX en...

9.8CVSS9.5AI score0.00445EPSS

CVE•added 2023/01/06 10:15 a.m.•82 views

CVE-2022-45935

Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.

5.5CVSS5.2AI score0.00025EPSS

CVE•added 2025/02/06 12:15 p.m.•68 views

CVE-2024-37358

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate u...

8.6CVSS8.3AI score0.00512EPSS

CVE•added 2025/02/06 12:15 p.m.•56 views

CVE-2024-45626

Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.

7.5CVSS6.4AI score0.00541EPSS

CVE•added 2017/10/20 3:29 p.m.•54 views

CVE-2017-12628

The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Rel...

7.8CVSS7.9AI score0.00082EPSS

CVE•added 2023/04/03 8:15 a.m.•54 views

CVE-2023-26269

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by amalicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX passwor...

7.8CVSS7.8AI score0.01063EPSS