org.apache.james:james-server (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.james:james-server, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (11)
CVE-2023-51518 — CVSS 9.8 (critical): Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of…
CVE-2021-40525 — CVSS 9.1 (critical): Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing…
CVE-2015-7611 — CVSS 8.1 (high): Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via…
CVE-2021-40110 — CVSS 7.5 (high): In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using…
CVE-2022-28220 — CVSS 7.5 (high): Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of…
CVE-2023-51747 — CVSS 7.1 (high): Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create…
CVE-2021-40111 — CVSS 6.5 (medium): In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we discover that crafted APPEND and STATUS IMAP command could be used to…
CVE-2021-38542 — CVSS 5.9 (medium): Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in…
CVE-2022-45935 — CVSS 5.5 (medium): Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user…
CVE-2004-2650 — CVSS 4.9 (medium): Spooler in Apache Foundation James 2.2.0 allows local users to cause a denial of service (memory consumption) by triggering various error…
CVE-2022-22931 — CVSS 4.3 (medium): Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store…