CVE-2024-37358 — Apache James vulnerable to denial of service through the use of IMAP literals

Description

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

How to fix CVE-2024-37358

To remediate CVE-2024-37358, upgrade the affected package to a fixed version below.

—upgrade to 3.7.6 or later

Is CVE-2024-37358 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.7.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-37358
PATCHgithub.com/apache/james-project
WEBgithub.com/apache/james-project/commit/6dd3ad9ea1f6a9bc887d2c7af3f5aa30a60ec769
WEBgithub.com/apache/james-project/commit/b2f3c06edfd37b409121bf04c56a6f026048a77e