CVE-2024-37358

High

Published: 06 February 2025

Published

06 February 2025

Modified

29 September 2025

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0076 73.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

Security Summary

CVE-2024-37358 is a denial-of-service vulnerability in Apache James, similar to CVE-2024-34055, stemming from the abuse of IMAP literals. This flaw enables both authenticated and unauthenticated users to trigger unbounded memory allocation and excessively long computations, as classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability affects Apache James versions prior to the patched releases.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, no user interaction, and resulting in a scope change that highly impacts availability, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). Successful exploitation leads to denial of service through resource exhaustion.

Apache advisories note that versions 3.7.6 and 3.8.2 mitigate the issue by restricting illegitimate use of IMAP literals. Further details are available in the Apache mailing list thread at https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc.

Details

CWE(s): CWE-770

Affected Products

apache

james server

≤ 3.7.6 · 3.8.0 — 3.8.2

References

https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc
Mailing List, Vendor Advisory · security@apache.org