CVE-2024-45626: Apache James vulnerable to denial of service through JMAP HTML to text conversion
(updated )
Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service.
Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.
References
- github.com/advisories/GHSA-57m2-h3fw-rxhw
- github.com/apache/james-project/commit/372f1f83b6825fb0f92147803a9bf215b8ff690d
- github.com/apache/james-project/commit/537ae380f9837f74c075f0ed2b625affa9b20122
- github.com/apache/james-project/pull/1422
- github.com/linagora/james-project
- lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl
- nvd.nist.gov/vuln/detail/CVE-2024-45626
Detect and mitigate CVE-2024-45626 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →