Vulnerabilities > Apache > James

DATE CVE VULNERABILITY TITLE RISK
2023-04-03 CVE-2023-26269 Missing Authorization vulnerability in Apache James
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default.
local
low complexity
apache CWE-862
7.8
2023-01-06 CVE-2022-45787 Cleartext Storage of Sensitive Information vulnerability in Apache James
Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users.
local
low complexity
apache CWE-312
5.5
2023-01-06 CVE-2022-45935 Exposure of Resource to Wrong Sphere vulnerability in Apache James
Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.
local
low complexity
apache CWE-668
5.5
2022-09-08 CVE-2022-28220 Command Injection vulnerability in Apache James
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.
network
low complexity
apache CWE-77
7.5
2022-02-07 CVE-2022-22931 Path Traversal vulnerability in Apache James 3.6.1
Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations.
network
low complexity
apache CWE-22
4.3
2022-01-04 CVE-2021-38542 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Apache James 2.2.0/3.3.0/3.4.0
Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.
network
high complexity
apache CWE-327
5.9
2022-01-04 CVE-2021-40110 Unspecified vulnerability in Apache James 2.2.0/3.3.0/3.4.0
In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression.
network
low complexity
apache
7.5
2022-01-04 CVE-2021-40111 Infinite Loop vulnerability in Apache James 2.2.0/3.3.0/3.4.0
In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions.
network
low complexity
apache CWE-835
6.5
2022-01-04 CVE-2021-40525 Path Traversal vulnerability in Apache James
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file.
network
low complexity
apache CWE-22
critical
9.1
2019-04-17 CVE-2019-0228 XXE vulnerability in multiple products
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
network
low complexity
apache fedoraproject oracle CWE-611
critical
9.8