CVE-2023-51518

CVE-2023-51518: Apache James server: Privilege escalation via JMX pre-authentication deserialisation

Vendor Apache Software Foundation

Product Apache James server

Weakness CWE-502 · Unsafe deserialization

Published February 27, 2024

Last update August 22, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally. We recommend users to: - Upgrade to a non-vulnerable Apache James version - Run Apache James isolated from other processes (docker - dedicated virtual machine) - If possible turn off JMX

Key dates

Disclosure timeline

February 27, 2024 CVE published

August 22, 2024 Record updated

Identifiers

CVE CVE-2023-51518

CWE CWE-502

Affected versions

Vendor Apache Software Foundation

Product Apache James server

Affected ≤ 3.7.4

Vendor Apache Software Foundation

Product Apache James server

Affected ≥ 3.8 and ≤ 3.8.0