Lucene search

[email protected]CVE-2017-12628

HistoryOct 20, 2017 - 3:29 p.m.

CVE-2017-12628

2017-10-2015:29:00

CWE-502

[email protected]

web.nvd.nist.gov

cve-2017-12628

apache james

jmx server

remote code execution

cve

java deserialization vulnerability

privilege escalation

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON

The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library.

Affected configurations

Vulners

NVD

Node

apachejamesRange≤3.0.0

CPENameOperatorVersion
apache:james_serverapache james serverle3.0.0

CPE	Name	Operator	Version
apache:james_server	apache james server	le	3.0.0

CNA Affected

[
  {
    "product": "Apache James",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "3.0.0"
      }
    ]
  }
]