CVE-2024-37358 HIGH

CVE-2024-37358: Apache James: denial of service through the use of IMAP literals

Vendor Apache Software Foundation

Product Apache James server

Weakness CWE-770 · Uncontrolled resource consumption

Published February 6, 2025

Last update September 1, 2025

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

Description

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

Key dates

Disclosure timeline

February 6, 2025 CVE published

September 1, 2025 Record updated

Identifiers

CVE CVE-2024-37358

CWE CWE-770

CVSS 8.6 / HIGH

Affected versions

Vendor Apache Software Foundation

Product Apache James server

Affected ≤ 3.7.5

Vendor Apache Software Foundation

Product Apache James server

Affected ≥ 3.8.0 and ≤ 3.8.1