CVE-2024-37358 - Vulnerability Details - OpenCVE

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	James Server

Configuration 1 [-]

OR	cpe:2.3:a:apache:james_server::::::::
	cpe:2.3:a:apache:james_server::::::::

No data.

References

Link	Providers
https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc

History

Wed, 16 Jul 2025 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache james Server
Weaknesses		CWE-770
CPEs		cpe:2.3:a:apache:james_server::::::::
Vendors & Products		Apache Apache james Server

Thu, 06 Feb 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.
Title		Apache James: denial of service through the use of IMAP literals
Weaknesses		CWE-20
References		https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2025-02-06T11:22:38.260Z

Updated: 2025-02-12T19:51:10.228Z

Reserved: 2024-06-06T07:07:32.731Z

Link: CVE-2024-37358

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2025-02-06T12:15:26.343

Modified: 2025-07-16T13:58:52.197

Link: CVE-2024-37358

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37358", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-06-06T07:07:32.731Z", "datePublished": "2025-02-06T11:22:38.260Z", "dateUpdated": "2025-02-12T19:51:10.228Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://james.apache.org/", "defaultStatus": "unaffected", "product": "Apache James server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "3.7.5", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "3.8.1", "status": "affected", "version": "3.8.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Xavier GUIMARD"}, {"lang": "en", "type": "coordinator", "value": "Benoit TELLIER"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations<br><br>Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.<br>"}], "value": "Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations\n\nVersion 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-02-06T11:22:38.260Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache James: denial of service through the use of IMAP literals", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37358", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-06T13:57:35.810182Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:51:10.228Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A9CB5A9-4168-4D9F-9546-99CDB5AD0730", "versionEndExcluding": "3.7.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D6FC57E-541E-4FDB-8EF1-A62461E8F921", "versionEndExcluding": "3.8.2", "versionStartIncluding": "3.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations\n\nVersion 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals."}, {"lang": "es", "value": "De manera similar a CVE-2024-34055, Apache James es vulnerable a la denegaci\u00f3n de servicio a trav\u00e9s del abuso de literales IMAP de usuarios autenticados y no autenticados, lo que podr\u00eda usarse para provocar una asignaci\u00f3n de memoria ilimitada y c\u00e1lculos muy largos. Las versiones 3.7.6 y 3.8.2 restringen dicho uso ileg\u00edtimo de literales IMAP."}], "id": "CVE-2024-37358", "lastModified": "2025-07-16T13:58:52.197", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-02-06T12:15:26.343", "references": [{"source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "[email protected]", "type": "Primary"}]}