CVE-2022-45935

Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d	Mailing List Vendor Advisory
https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-01-06 10:15

Updated : 2025-04-10 14:15

NVD link : CVE-2022-45935

Mitre link : CVE-2022-45935

CVE.ORG link : CVE-2022-45935

JSON object : View

Products Affected

apache

james

CWE

CWE-668

Exposure of Resource to Wrong Sphere

{"id": "CVE-2022-45935", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2023-01-06T10:15:10.447", "references": [{"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-668"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."}, {"lang": "es", "value": "El uso de archivos temporales con permisos inseguros por parte del servidor Apache James permite a un atacante con acceso local acceder a datos privados del usuario en tr\u00e1nsito. Los componentes vulnerables incluyen la pila SMTP y el comando IMAP APPEND. Este problema afecta al servidor Apache James versi\u00f3n 3.7.2 y versiones anteriores."}], "lastModified": "2025-04-10T14:15:24.033", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:james:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F0C5B5CE-7844-48F0-A791-3823B74B4F1A", "versionEndIncluding": "3.7.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}