Miggo Logo
Miggo Vulnerability Database
CVE-2024-37358

CVE-2024-37358: Apache James vulnerable to denial of service through the use of IMAP literals

8.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-37358
GHSA ID
GHSA-56jp-w6vw-j3jw
EPSS Score
0.40325%
CWE
CWE-20
Published
2/6/2025
Updated
2/6/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.james.protocols:protocols-imapmaven< 3.7.63.7.6
org.apache.james.protocols:protocols-imapmaven>= 3.8.0, < 3.8.23.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper input validation and resource control in IMAP literal handling. The unpatched functions allowed: 1) No cumulative size checks for literals (enabling memory exhaustion), 2) No line length limits (facilitating buffer overconsumption), and 3) Uniform size limits regardless of authentication state (letting unauthenticated users trigger large allocations). The patch added validations for these exact scenarios, confirming these functions' role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Simil*rly to *V*-****-*****, *p**** J*m*s is vuln*r**l* to **ni*l o* s*rvi** t*rou** t** **us* o* IM*P lit*r*ls *rom *ot* *ut**nti**t** *n* un*ut**nti**t** us*rs, w*i** *oul* ** us** to **us* un*oun*** m*mory *llo**tion *n* v*ry lon* *omput*tions V*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r input v*li**tion *n* r*sour** *ontrol in IM*P lit*r*l **n*lin*. T** unp*t**** *un*tions *llow**: *) No *umul*tiv* siz* ****ks *or lit*r*ls (*n**lin* m*mory *x**ustion), *) No lin* l*n*t* limits (***ilit*tin* *u