cnvd - cnvd-2023-05222

cnvd-2023-05222

Vulnerability from cnvd

Title: Apache James信息泄露漏洞

Description:

Apache James是美国阿帕奇（Apache）基金会的一个完全用Java编写的开源Smtp和Pop3 邮件传输代理和Nntp新闻服务器。

Apache James server存在信息泄露漏洞，该漏洞源于其使用具有不安全权限的临时文件，具有本地访问权限的攻击者可利用该漏洞访问传输中的私有用户数据。

Severity: 中

Patch Name: Apache James信息泄露漏洞的补丁

Patch Description:

Apache James是美国阿帕奇（Apache）基金会的一个完全用Java编写的开源Smtp和Pop3 邮件传输代理和Nntp新闻服务器。

Apache James server存在信息泄露漏洞，该漏洞源于其使用具有不安全权限的临时文件，具有本地访问权限的攻击者可利用该漏洞访问传输中的私有用户数据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-45935

Impacted products

Name
Apache James <=3.7.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-45935",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-45935"
    }
  },
  "description": "Apache James\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5b8c\u5168\u7528Java\u7f16\u5199\u7684\u5f00\u6e90Smtp\u548cPop3 \u90ae\u4ef6\u4f20\u8f93\u4ee3\u7406\u548cNntp\u65b0\u95fb\u670d\u52a1\u5668\u3002\n\nApache James server\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5176\u4f7f\u7528\u5177\u6709\u4e0d\u5b89\u5168\u6743\u9650\u7684\u4e34\u65f6\u6587\u4ef6\uff0c\u5177\u6709\u672c\u5730\u8bbf\u95ee\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4f20\u8f93\u4e2d\u7684\u79c1\u6709\u7528\u6237\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-05222",
  "openTime": "2023-01-30",
  "patchDescription": "Apache James\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5b8c\u5168\u7528Java\u7f16\u5199\u7684\u5f00\u6e90Smtp\u548cPop3 \u90ae\u4ef6\u4f20\u8f93\u4ee3\u7406\u548cNntp\u65b0\u95fb\u670d\u52a1\u5668\u3002\r\n\r\nApache James server\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5176\u4f7f\u7528\u5177\u6709\u4e0d\u5b89\u5168\u6743\u9650\u7684\u4e34\u65f6\u6587\u4ef6\uff0c\u5177\u6709\u672c\u5730\u8bbf\u95ee\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4f20\u8f93\u4e2d\u7684\u79c1\u6709\u7528\u6237\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache James\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache James \u003c=3.7.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-45935",
  "serverity": "\u4e2d",
  "submitTime": "2023-01-11",
  "title": "Apache James\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2022-45935 (GCVE-0-2022-45935)

Vulnerability from cvelistv5

Published

2023-01-06 09:33

Modified

2025-04-10 13:35

Severity ?

CWE

CWE-668 - Exposure of Resource to Wrong Sphere

Summary

Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions.

References

▼	URL	Tags
	https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache James server	Version: 0 ≤ 3.7.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T14:24:03.215Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-45935",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-10T13:35:27.107323Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-10T13:35:31.647Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache James server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.7.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Benoit Tellier"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \u003cbr\u003e\u003cbr\u003eVulnerable components includes the SMTP stack and IMAP APPEND command.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache James server version 3.7.2 and prior versions."
            }
          ],
          "value": "Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. \n\nVulnerable components includes the SMTP stack and IMAP APPEND command.\n\nThis issue affects Apache James server version 3.7.2 and prior versions."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668 Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-12T10:18:19.197Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/j61fo8xc1rxtofrn8vc33whx35s9cj1d"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache James server: Temporary File Information Disclosure",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-45935",
    "datePublished": "2023-01-06T09:33:30.150Z",
    "dateReserved": "2022-11-27T08:53:19.892Z",
    "dateUpdated": "2025-04-10T13:35:31.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted