Apache James server: Temporary File Information Disclosure
Description
Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit.
Vulnerable components includes the SMTP stack and IMAP APPEND command.
This issue affects Apache James server version 3.7.2 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache James server <=3.7.2 uses temporary files with insecure permissions, enabling local attackers to read private user data in transit via SMTP and IMAP APPEND.
Vulnerability
CVE-2022-45935 is a local information disclosure vulnerability in the Apache James (Java Apache Mail Enterprise Server) mail server. The root cause is the use of temporary files with insecure permissions during mail processing. Affected components include the SMTP stack and the IMAP APPEND command, which handle user data in transit [1].
Exploitation
An attacker must have local access to the filesystem where the Apache James server creates temporary files. No special authentication or network position is required beyond local user access. The insecure file permissions allow the attacker to read temporary files that contain private user data while it is being processed by the SMTP or IMAP APPEND operations [1].
Impact
A local attacker can access private user data in transit, which may include email content, attachments, or other sensitive information processed by the server. This could lead to unauthorized disclosure of confidential communications [1][2].
Mitigation
Apache James version 3.7.3 and later fix this vulnerability by implementing secure temporary file creation. Users are advised to upgrade to 3.7.3 or higher. No workaround is mentioned [2]. The Apache James project follows standard vulnerability handling procedures [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.james:james-serverMaven | <= 3.7.2 | — |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/keycloakpkg:apk/chainguard/keycloak-bitnami-compatpkg:apk/chainguard/keycloak-compatpkg:apk/chainguard/keycloak-iamguarded-compatpkg:apk/wolfi/keycloakpkg:apk/wolfi/keycloak-bitnami-compatpkg:apk/wolfi/keycloak-compatpkg:apk/wolfi/keycloak-iamguarded-compatpkg:maven/org.apache.james/james-server
< 0+ 8 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: <= 3.7.2
- Apache Software Foundation/Apache James serverv5Range: 0
Patches
1b5580d13d6c7[DOC] CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES (#1378)
4 files changed · +20 −3
CHANGELOG.md+1 −2 modified@@ -235,8 +235,7 @@ Multiple performance enhancements for Distributed server mailbox, IMAP, SMTP and ### Security -Upcoming security announcements. - + - CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES - [UPGRADE] commons-text 1.9 -> 1.10 (#1291) - JAMES-3832 RemoteDelivery will do TLS host name verification when contacting remote mail servers - JAMES-3860 Rely on Files.createTempFile (#1325)
server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc+10 −1 modified@@ -104,6 +104,15 @@ outdated dependencies. We follow the standard procedures within the ASF regarding link:https://apache.org/security/committers.html#vulnerability-handling[vulnerability handling] +=== CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES + +Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure. + +*Severity*: Moderate + +*Mitigation*: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability. + + === CVE-2021-44228: STARTTLS command injection in Apache JAMES Apache James distribution prior to release 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. @@ -112,7 +121,7 @@ Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is *Severity*: Moderate -*Mitigation<*: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability. +*Mitigation*: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability. === CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)
src/homepage/_posts/2022-12-30-james-3.7.3.markdown+2 −0 modified@@ -13,6 +13,8 @@ The Apache James PMC would like to thanks all contributors who made this release ## Announcement +This release fixes CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES. + This release proposes stability related bug fixes and updates some dependencies for security reasons. ## Release changelog
src/site/xdoc/server/feature-security.xml+7 −0 modified@@ -53,6 +53,13 @@ We follow the standard procedures within the ASF regarding <a href="https://apache.org/security/committers.html#vulnerability-handling">vulnerability handling</a>. </subsection> + <subsection name="CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES"> + <p>Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure.</p> + + <p><b>Severity</b>: Moderate</p> + + <p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.</p> + </subsection> <subsection name="CVE-2021-44228: STARTTLS command injection in Apache JAMES"> <p>Apache James distribution prior to release 3.7.3 is vulnerable to a buffering attack relying on the use of the STARTTLS command.</p>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.