James Server
CVE-2024-45626
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 16 maven packages depend on org.apache.james:james-server-jmap-draft (4 direct, 12 indirect)
Ecosystem-wide dependent count for version 3.8.0.
DescriptionCVE.org
Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.
Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.
AnalysisAI
Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue. Affected products include: Apache James Server. Version information: version 3.7.6.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.
More in James Server
View allApache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary syst
Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from bot
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issu
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today