Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1weDd3LWM5Z3ctN2dqM84AA5hU

Apache James server: Privilege escalation via JMX pre-authentication deserialization

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.
Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.
Note that by default JMX endpoint is only bound locally.

We recommend users to:
 - Upgrade to a non-vulnerable Apache James version

 - Run Apache James isolated from other processes (docker - dedicated virtual machine)
 - If possible turn off JMX

Permalink: https://github.com/advisories/GHSA-px7w-c9gw-7gj3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1weDd3LWM5Z3ctN2dqM84AA5hU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 9 months ago
Updated: 3 months ago


CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-px7w-c9gw-7gj3, CVE-2023-51518
References: Blast Radius: 11.5

Affected Packages

maven:org.apache.james:james-server
Dependent packages: 1
Dependent repositories: 15
Downloads:
Affected Version Ranges: >= 3.8.0, < 3.8.1, <= 3.7.4
Fixed in: 3.8.1, 3.7.5
All affected versions: 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.6.2, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0
All unaffected versions: 3.7.5, 3.8.1