CVE-2024-37358

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:james_server::::::::
	cpe:2.3:a:apache:james_server::::::::

History

16 Jul 2025, 13:58

Type	Values Removed	Values Added
CWE		CWE-770
CPE		cpe:2.3:a:apache:james_server::::::::
References	~~() https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc -~~	() https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc - Mailing List, Vendor Advisory
First Time		Apache Apache james Server
Summary		(es) De manera similar a CVE-2024-34055, Apache James es vulnerable a la denegación de servicio a través del abuso de literales IMAP de usuarios autenticados y no autenticados, lo que podría usarse para provocar una asignación de memoria ilimitada y cálculos muy largos. Las versiones 3.7.6 y 3.8.2 restringen dicho uso ilegítimo de literales IMAP.

06 Feb 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-06 12:15

Updated : 2025-07-16 13:58

NVD link : CVE-2024-37358

Mitre link : CVE-2024-37358

CVE.ORG link : CVE-2024-37358

JSON object : View

Products Affected

apache

james_server

CWE

CWE-20

Improper Input Validation

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2024-37358", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-02-06T12:15:26.343", "references": [{"url": "https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations\n\nVersion 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals."}, {"lang": "es", "value": "De manera similar a CVE-2024-34055, Apache James es vulnerable a la denegaci\u00f3n de servicio a trav\u00e9s del abuso de literales IMAP de usuarios autenticados y no autenticados, lo que podr\u00eda usarse para provocar una asignaci\u00f3n de memoria ilimitada y c\u00e1lculos muy largos. Las versiones 3.7.6 y 3.8.2 restringen dicho uso ileg\u00edtimo de literales IMAP."}], "lastModified": "2025-07-16T13:58:52.197", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A9CB5A9-4168-4D9F-9546-99CDB5AD0730", "versionEndExcluding": "3.7.6"}, {"criteria": "cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D6FC57E-541E-4FDB-8EF1-A62461E8F921", "versionEndExcluding": "3.8.2", "versionStartIncluding": "3.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}