Apache James
14 CVEs affecting Apache James. Latest disclosed: 2024-02-27. Critical: 3, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-51518 | Critical | 9.8 | 2024-02-27 | Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a dese… |
CVE-2019-0228 | Critical | 9.8 | 2019-04-17 | Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a c… |
CVE-2021-40525 | Critical | 9.1 | 2022-01-04 | Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any fi… |
CVE-2023-26269 | High | 7.8 | 2023-04-03 | Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malic… |
CVE-2022-28220 | High | 7.5 | 2022-09-08 | Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solv… |
CVE-2021-40110 | High | 7.5 | 2022-01-04 | In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regula… |
CVE-2023-51747 | High | 7.1 | 2024-02-27 | Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of in… |
CVE-2021-40111 | Medium | 6.5 | 2022-01-04 | In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite lo… |
CVE-2021-38542 | Medium | 5.9 | 2022-01-04 | Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle comma… |
CVE-2022-45935 | Medium | 5.5 | 2023-01-06 | Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vu… |
CVE-2022-45787 | Medium | 5.5 | 2023-01-06 | Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue a… |
CVE-2022-22931 | Medium | 4.3 | 2022-02-07 | Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file reposi… |
CVE-2006-2806 | | 2006-06-05 | The SMTP server in Apache Java Mail Enterprise Server (aka Apache James) 2.2.0 allows remote attackers to cause a denial of service (CPU consumption) via a lon… | |
CVE-2004-2650 | | 2004-12-31 | Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error conditions in the ret… |