CVE-2024-45626

Medium

Published: 06 February 2025

Published

06 February 2025

Modified

11 February 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0015 35.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.

Security Summary

CVE-2024-45626 affects the JMAP HTML to text plain implementation in Apache James server versions below 3.8.2 and 3.7.6. The vulnerability involves unbounded memory consumption, which can lead to a denial of service. It is classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

An attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. By sending crafted input to the affected JMAP component, the attacker triggers excessive memory usage, resulting in high-impact availability disruption while causing no impact to confidentiality or integrity.

Apache advisories recommend upgrading to version 3.7.6 or 3.8.2, which address the issue. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2025/02/05/7.

Details

CWE(s): CWE-400NVD-CWE-noinfo

Affected Products

apache

james server

≤ 3.7.6 · 3.8.0 — 3.8.2

References

https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl
Mailing List · security@apache.org
http://www.openwall.com/lists/oss-security/2025/02/05/7
Mailing List · af854a3a-2127-422b-91ae-364da2661108