CVE-2024-45626 MEDIUM

CVE-2024-45626: Apache James: denial of service through JMAP HTML to text conversion

Vendor Apache Software Foundation

Product Apache James server

Weakness CWE-400

Published February 6, 2025

Last update February 12, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.

Key dates

Disclosure timeline

February 6, 2025 CVE published

February 12, 2025 Record updated

Identifiers

CVE CVE-2024-45626

CWE CWE-400

CVSS 6.5 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache James server

Affected ≥ 3.8.0 and ≤ 3.8.1

Vendor Apache Software Foundation

Product Apache James server

Affected ≤ 3.7.5