Apache James security advisories

Security information for Apache James

Reporting

Do you want disclose a potential security issue for Apache James? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Apache James: denial of service through JMAP HTML to text conversion

CVE-2024-45626 [CVE] [CVE json] [OSV json]

Last updated: 2025-02-06T11:21:05.038Z

Affected

  • Apache James server from 3.8.0 through 3.8.1
  • Apache James server through 3.7.5

Description

Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.

Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.

References

Credits

  • Benoit TELLIER (finder)
  • Wojciech Kapcia (finder)

Apache James: denial of service through the use of IMAP literals

CVE-2024-37358 [CVE] [CVE json] [OSV json]

Last updated: 2025-09-01T09:40:16.733Z

Affected

  • Apache James server through 3.7.5
  • Apache James server from 3.8.0 through 3.8.1

Description

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations

Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

References

Credits

  • Xavier GUIMARD (reporter)
  • Benoit TELLIER (coordinator)

Mime4J DOM header injection

CVE-2024-21742 [CVE] [CVE json] [OSV json]

Last updated: 2025-05-06T13:11:31.892Z

Affected

  • Apache James Mime4J through 0.8.9

Description

Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message.
This can be exploited by an attacker to add unintended headers to MIME messages.

References

Credits

  • Benoit TELLIER (finder)

SMTP smuggling in Apache James

CVE-2023-51747 [CVE] [CVE json] [OSV json]

Last updated: 2024-02-27T13:07:59.703Z

Affected

  • Apache James server through 3.7.4
  • Apache James server from 3.8 through 3.8.0

Description

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.

A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.

The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.

We recommend James users to upgrade to non vulnerable versions.

References

Credits

  • Benoit TELLIER (coordinator)

Privilege escalation via JMX pre-authentication deserialisation

CVE-2023-51518 [CVE] [CVE json] [OSV json]

Last updated: 2024-02-27T09:09:28.523Z

Affected

  • Apache James server through 3.7.4
  • Apache James server from 3.8 through 3.8.0

Description

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.
Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.

Note that by default JMX endpoint is only bound locally.

We recommend users to:
 - Upgrade to a non-vulnerable Apache James version
 - Run Apache James isolated from other processes (docker - dedicated virtual machine)
 - If possible turn off JMX

References

Credits

  • Mal Aware (reporter)
  • Arnout Engelen (analyst)

Privilege escalation through unauthenticated JMX

CVE-2023-26269 [CVE] [CVE json] [OSV json]

Last updated: 2023-04-03T07:59:07.659Z

Affected

  • Apache James server through 3.7.3

Description

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user.
Administrators are advised to disable JMX, or set up a JMX password.
Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.

References

Credits

  • Matei “Mal” Badanoiu (reporter)

Temporary File Information Disclosure

CVE-2022-45935 [CVE] [CVE json] [OSV json]

Last updated: 2023-07-12T10:18:16.935Z

Affected

  • Apache James server through 3.7.2

Description

Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.

Vulnerable components includes the SMTP stack and IMAP APPEND command.

This issue affects Apache James server version 3.7.2 and prior versions.

References

Credits

  • Benoit Tellier (reporter)

Temporary File Information Disclosure in MIME4J TempFileStorageProvider

CVE-2022-45787 [CVE] [CVE json] [OSV json]

Last updated: 2023-01-16T10:25:33.637Z

Affected

  • Apache James MIME4J through 0.8.8

Description

Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.

We recommend users to upgrade to MIME4j version 0.8.9 or later.

References

Credits

  • Jonathan Leitschuh (finder)

STARTTLS command injection in Apache JAMES

CVE-2022-28220 [CVE] [CVE json] [OSV json]

Last updated: 2022-09-20T08:36:32.785Z

Affected

  • Apache James from Apache James through 3.6.2

Description

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.

Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.

References

Credits

  • Apache James PMC would like to thanks Benoit TELLIER for this report, and Fabian Ising for his support.

Path traversal in Apache James 3.6.1

CVE-2022-22931 [CVE] [CVE json] [OSV json]

Last updated: 2022-02-07T18:45:09.142Z

Affected

  • Apache James at 3.6.1

Description

Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations.

Affected implementations include:

  • maildir mailbox store
  • Sieve file repository

This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used).

References

Credits

  • These issues were discovered and reported by GHSL team member Jaroslav Lobačevski

Sieve file storage vulnerable to path traversal attacks

CVE-2021-40525 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-04T08:49:17.932Z

Affected

  • Apache James from Apache James through 3.6.0

Description

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.

Distributed and Cassandra based products are also not impacted.

References

Credits

  • The Apache James PMC would like to thanks Benoit TELLIER for the report.

Apache James IMAP parsing Denial Of Service

CVE-2021-40111 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-04T08:48:24.795Z

Affected

  • Apache James from Apache James through 3.6.0

Description

In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1.

This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.

References

Credits

  • The Apache James PMC would like to thanks Benoit TELLIER for the report.

Apache James IMAP vulnerable to a ReDoS

CVE-2021-40110 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-04T08:47:33.579Z

Affected

  • Apache James from Apache James through 3.6.0

Description

In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1

We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

References

Credits

  • Apache James PMC would like to thanks Benoit TELLIER for this report.

Apache James vulnerable to STARTTLS command injection (IMAP and POP3)

CVE-2021-38542 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-04T08:46:18.750Z

Affected

  • Apache James from Apache James before 3.6.1

Description

Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.

References

Credits

  • We thanks Benoit Tellier, Raphael Ouazana for reporting this vulnerability as well as Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel Münster University of Applied Science for their research and tools regarding STARTTLS security.