CVE-2024-37358

HIGH

Apache James Server < 3.7.6 - Resource Allocation Without Limits

Title source: rule

Description

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

References (1)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc

Scores

CVSS v3 8.6

EPSS 0.0304

EPSS Percentile 86.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Classification

CWE

CWE-770

Status published

Affected Products (2)

apache/james_server < 3.7.6

org.apache.james.protocols/protocols-imap < 3.7.6Maven

Timeline

Published Feb 06, 2025

Tracked Since Feb 18, 2026