cnvd - cnvd-2023-05221

cnvd-2023-05221

Vulnerability from cnvd

Title: Apache James授权问题漏洞

Description:

Apache James是美国阿帕奇（Apache）基金会的一个完全用 Java 编写的开源Smtp和Pop3 邮件传输代理和Nntp新闻服务器。

Apache James存在授权问题漏洞，该漏洞源于对MIME4J TempFileStorageProvider使用的临时文件的不适当的宽松权限，攻击者可利用该漏洞导致信息泄露给其他本地用户。

Severity: 中

Patch Name: Apache James授权问题漏洞的补丁

Patch Description:

Apache James是美国阿帕奇（Apache）基金会的一个完全用 Java 编写的开源Smtp和Pop3 邮件传输代理和Nntp新闻服务器。

Apache James存在授权问题漏洞，该漏洞源于对MIME4J TempFileStorageProvider使用的临时文件的不适当的宽松权限，攻击者可利用该漏洞导致信息泄露给其他本地用户。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-45787

Impacted products

Name
Apache James MIME4J <=0.8.8

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-45787",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-45787"
    }
  },
  "description": "Apache James\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5b8c\u5168\u7528 Java \u7f16\u5199\u7684\u5f00\u6e90Smtp\u548cPop3 \u90ae\u4ef6\u4f20\u8f93\u4ee3\u7406\u548cNntp\u65b0\u95fb\u670d\u52a1\u5668\u3002\n\nApache James\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9MIME4J TempFileStorageProvider\u4f7f\u7528\u7684\u4e34\u65f6\u6587\u4ef6\u7684\u4e0d\u9002\u5f53\u7684\u5bbd\u677e\u6743\u9650\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u7ed9\u5176\u4ed6\u672c\u5730\u7528\u6237\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-05221",
  "openTime": "2023-01-30",
  "patchDescription": "Apache James\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5b8c\u5168\u7528 Java \u7f16\u5199\u7684\u5f00\u6e90Smtp\u548cPop3 \u90ae\u4ef6\u4f20\u8f93\u4ee3\u7406\u548cNntp\u65b0\u95fb\u670d\u52a1\u5668\u3002\r\n\r\nApache James\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9MIME4J TempFileStorageProvider\u4f7f\u7528\u7684\u4e34\u65f6\u6587\u4ef6\u7684\u4e0d\u9002\u5f53\u7684\u5bbd\u677e\u6743\u9650\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u7ed9\u5176\u4ed6\u672c\u5730\u7528\u6237\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache James\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache James MIME4J \u003c=0.8.8"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-45787",
  "serverity": "\u4e2d",
  "submitTime": "2023-01-11",
  "title": "Apache James\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2022-45787 (GCVE-0-2022-45787)

Vulnerability from cvelistv5

Published

2023-01-06 09:31

Modified

2025-04-09 19:32

Severity ?

CWE

CWE-312 - Cleartext Storage of Sensitive Information

Summary

Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. We recommend users to upgrade to MIME4j version 0.8.9 or later.

References

▼	URL	Tags
	https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache James MIME4J	Version: 0 <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T14:17:04.186Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-45787",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-09T19:31:06.959423Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-312",
                "description": "CWE-312 Cleartext Storage of Sensitive Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-09T19:32:09.206Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache James MIME4J",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "0.8.8",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jonathan Leitschuh"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.\u003cbr\u003e\u003cbr\u003eWe recommend users to upgrade to MIME4j version 0.8.9 or later.\u003cbr\u003e"
            }
          ],
          "value": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.\n\nWe recommend users to upgrade to MIME4j version 0.8.9 or later.\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-16T10:27:24.515Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache James MIME4J: Temporary File Information Disclosure in MIME4J TempFileStorageProvider",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-45787",
    "datePublished": "2023-01-06T09:31:40.118Z",
    "dateReserved": "2022-11-22T08:49:26.227Z",
    "dateUpdated": "2025-04-09T19:32:09.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted