CVE-2024-21742

Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/02/27/5	Mailing List
https://lists.apache.org/thread/nrqzg93219wdj056pqfszsd33dc54kfy	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/02/27/5	Mailing List
https://lists.apache.org/thread/nrqzg93219wdj056pqfszsd33dc54kfy	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:james_mime4j:*:*:*:*:*:*:*:*

History

14 Feb 2025, 15:27

Type	Values Removed	Values Added
References	~~() http://www.openwall.com/lists/oss-security/2024/02/27/5 -~~	() http://www.openwall.com/lists/oss-security/2024/02/27/5 - Mailing List
References	~~() https://lists.apache.org/thread/nrqzg93219wdj056pqfszsd33dc54kfy -~~	() https://lists.apache.org/thread/nrqzg93219wdj056pqfszsd33dc54kfy - Mailing List, Vendor Advisory
CPE		cpe:2.3:a:apache:james_mime4j::::::::
First Time		Apache james Mime4j Apache
CWE		CWE-74
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3

13 Feb 2025, 18:16

Type	Values Removed	Values Added
Summary	(en) Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages.	(en) Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages.

Information

Published : 2024-02-27 17:15

Updated : 2025-03-25 16:15

NVD link : CVE-2024-21742

Mitre link : CVE-2024-21742

CVE.ORG link : CVE-2024-21742

JSON object : View

Products Affected

apache

james_mime4j

CWE

CWE-20

Improper Input Validation

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2024-21742", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-02-27T17:15:12.030", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/02/27/5", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/nrqzg93219wdj056pqfszsd33dc54kfy", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/27/5", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread/nrqzg93219wdj056pqfszsd33dc54kfy", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message.\nThis can be exploited by an attacker to add unintended headers to MIME messages."}, {"lang": "es", "value": "La validaci\u00f3n de entrada incorrecta permite la inyecci\u00f3n de encabezado en la librer\u00eda MIME4J cuando se usa MIME4J DOM para redactar mensajes. Un atacante puede aprovechar esto para agregar encabezados no deseados a los mensajes MIME."}], "lastModified": "2025-03-25T16:15:18.310", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:james_mime4j:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C01C6CB8-02C8-41E1-8434-689F27347345", "versionEndIncluding": "0.8.9"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}