Lucene search
GitHub Advisory DatabaseGHSA-PX7W-C9GW-7GJ3HistoryFeb 27, 2024 - 9:31 a.m.
Apache James server: Privilege escalation via JMX pre-authentication deserialization
2024-02-2709:31:16
CWE-502
GitHub Advisory Database
github.com
2
apache james
privilege escalation
jmx
vulnerability
deserialization
upgrade
isolation
docker
virtual machine
Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.
Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.
Note that by default JMX endpoint is only bound locally.
We recommend users to:
Ā - Upgrade to a non-vulnerable Apache James version
- Run Apache James isolated from other processes (docker - dedicated virtual machine)
Ā - If possible turn off JMX
Affected configurations
Node
org.apache.james\jamesMatchserver
ORorg.apache.james\jamesMatchserver
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.james:james-server | lt | 3.8.1 | |
| org.apache.james:james-server | le | 3.7.4 |
Related
veracode
veracode
Deserialization Of Untrusted Data
2024-02-29 08:00:04
cvelist
cvelist
nvd
nvd
CVE-2023-51518
2024-02-27 09:15:36
osv
osv
prion
prion
Authentication flaw
2024-02-27 09:15:00
cve
cve
CVE-2023-51518
2024-02-27 09:15:36