CVE-2023-26269

CVE-2023-26269: Apache James server: Privilege escalation through unauthenticated JMX

Vendor Apache Software Foundation

Product Apache James server

Weakness CWE-862 · Missing authorization

Published April 3, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.

Key dates

Disclosure timeline

April 3, 2023 CVE published

February 13, 2025 Record updated