CVE-2024-45626 - Vulnerability Details - OpenCVE

Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	James Server

Configuration 1 [-]

OR	cpe:2.3:a:apache:james_server::::::::
	cpe:2.3:a:apache:james_server::::::::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2025/02/05/7
https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl

History

Tue, 11 Feb 2025 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache james Server
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:apache:james_server::::::::
Vendors & Products		Apache Apache james Server

Thu, 06 Feb 2025 12:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/02/05/7

Thu, 06 Feb 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.
Title		Apache James: denial of service through JMAP HTML to text conversion
Weaknesses		CWE-400
References		https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2025-02-06T11:21:12.417Z

Updated: 2025-02-12T19:51:10.343Z

Reserved: 2024-09-03T08:43:52.113Z

Link: CVE-2024-45626

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2025-02-06T12:15:27.110

Modified: 2025-02-11T16:12:04.307

Link: CVE-2024-45626

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45626", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-09-03T08:43:52.113Z", "datePublished": "2025-02-06T11:21:12.417Z", "dateUpdated": "2025-02-12T19:51:10.343Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache James server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "3.8.1", "status": "affected", "version": "3.8.0", "versionType": "maven"}, {"lessThanOrEqual": "3.7.5", "status": "affected", "version": "0", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Benoit TELLIER"}, {"lang": "en", "type": "finder", "value": "Wojciech Kapcia"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.<br><br>Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue."}], "value": "Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.\n\nUsers are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-02-06T11:21:12.417Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl"}], "source": {"discovery": "INTERNAL"}, "title": "Apache James: denial of service through JMAP HTML to text conversion", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/02/05/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-06T12:04:25.994Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45626", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-06T13:59:06.290280Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:51:10.343Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A9CB5A9-4168-4D9F-9546-99CDB5AD0730", "versionEndExcluding": "3.7.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:james_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D6FC57E-541E-4FDB-8EF1-A62461E8F921", "versionEndExcluding": "3.8.2", "versionStartIncluding": "3.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.\n\nUsers are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue."}, {"lang": "es", "value": "La implementaci\u00f3n de JMAP HTML a texto plano del servidor Apache James en versiones anteriores a 3.8.2 y 3.7.6 est\u00e1 sujeta a un consumo de memoria ilimitado que puede provocar una denegaci\u00f3n de servicio. Se recomienda a los usuarios que actualicen a las versiones 3.7.6 y 3.8.2, que solucionan este problema. "}], "id": "CVE-2024-45626", "lastModified": "2025-02-11T16:12:04.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@apache.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-06T12:15:27.110", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2025/02/05/7"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}