VulnerableCode Package Details - pkg:maven/org.apache.james/james-server@3.7.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-6gfs-f46a-3qeb Aliases: CVE-2023-51518 GHSA-px7w-c9gw-7gj3	Apache James server: Privilege escalation via JMX pre-authentication deserialization Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally. We recommend users to: - Upgrade to a non-vulnerable Apache James version - Run Apache James isolated from other processes (docker - dedicated virtual machine) - If possible turn off JMX	3.7.5 Affected by 0 other vulnerabilities. 3.8.1 Affected by 0 other vulnerabilities.
VCID-vv9x-5ab5-yfgc Aliases: CVE-2022-45935 GHSA-v6vp-62vc-84qw	Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.	3.7.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6gfs-f46a-3qeb
Aliases:
CVE-2023-51518
GHSA-px7w-c9gw-7gj3

Apache James server: Privilege escalation via JMX pre-authentication deserialization Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally. We recommend users to: - Upgrade to a non-vulnerable Apache James version - Run Apache James isolated from other processes (docker - dedicated virtual machine) - If possible turn off JMX

3.7.5
Affected by 0 other vulnerabilities.

3.8.1
Affected by 0 other vulnerabilities.

VCID-vv9x-5ab5-yfgc
Aliases:
CVE-2022-45935
GHSA-v6vp-62vc-84qw

Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.

3.7.3
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-k6dw-17nc-xbd5	Apache James vulnerable to buffering attack Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.	CVE-2022-28220 GHSA-w45j-f5g5-w94x

Vulnerability

Summary

Aliases

VCID-k6dw-17nc-xbd5

Apache James vulnerable to buffering attack Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.

CVE-2022-28220
GHSA-w45j-f5g5-w94x

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:52:31.326854+00:00	GitLab Importer	Affected by	VCID-6gfs-f46a-3qeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.james/james-server/CVE-2023-51518.yml	38.4.0
2026-04-16T22:19:03.199054+00:00	GitLab Importer	Affected by	VCID-vv9x-5ab5-yfgc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.james/james-server/CVE-2022-45935.yml	38.4.0
2026-04-16T22:08:28.431052+00:00	GitLab Importer	Fixing	VCID-k6dw-17nc-xbd5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.james/james-server/CVE-2022-28220.yml	38.4.0
2026-04-12T00:11:11.633211+00:00	GitLab Importer	Affected by	VCID-6gfs-f46a-3qeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.james/james-server/CVE-2023-51518.yml	38.3.0
2026-04-11T23:36:49.019173+00:00	GitLab Importer	Affected by	VCID-vv9x-5ab5-yfgc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.james/james-server/CVE-2022-45935.yml	38.3.0
2026-04-11T23:24:55.090949+00:00	GitLab Importer	Fixing	VCID-k6dw-17nc-xbd5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.james/james-server/CVE-2022-28220.yml	38.3.0
2026-04-03T00:17:08.846828+00:00	GitLab Importer	Affected by	VCID-6gfs-f46a-3qeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.james/james-server/CVE-2023-51518.yml	38.1.0
2026-04-02T23:41:17.639579+00:00	GitLab Importer	Affected by	VCID-vv9x-5ab5-yfgc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.james/james-server/CVE-2022-45935.yml	38.1.0
2026-04-02T23:31:16.248946+00:00	GitLab Importer	Fixing	VCID-k6dw-17nc-xbd5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.james/james-server/CVE-2022-28220.yml	38.1.0
2026-04-01T18:03:53.114658+00:00	GitLab Importer	Affected by	VCID-vv9x-5ab5-yfgc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.james/james-server/CVE-2022-45935.yml	38.0.0
2026-04-01T17:52:52.664246+00:00	GitLab Importer	Fixing	VCID-k6dw-17nc-xbd5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.james/james-server/CVE-2022-28220.yml	38.0.0
2026-04-01T16:03:07.125737+00:00	GHSA Importer	Fixing	VCID-k6dw-17nc-xbd5	https://github.com/advisories/GHSA-w45j-f5g5-w94x	38.0.0
2026-04-01T13:05:29.348032+00:00	GithubOSV Importer	Fixing	VCID-k6dw-17nc-xbd5	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-w45j-f5g5-w94x/GHSA-w45j-f5g5-w94x.json	38.0.0