Java Deserialization Vulnerability in Apache James by Apache
CVE-2017-12628

7.8HIGH

Key Information:

Vendor: Apache
Status: Apache James
Vendor: CVE Published:; 20 October 2017

What is CVE-2017-12628?

The Apache James server, which includes an embedded JMX server, is vulnerable to a Java deserialization issue. This flaw allows for the execution of arbitrary commands through the JMX interface. By default, the JMX socket is exposed only on the local host, which means this vulnerability can lead to privilege escalation under certain conditions. To mitigate this risk, users are advised to upgrade to version 3.0.1, which addresses the insecure library that contributes to this vulnerability.

Affected Version(s)

Apache James 3.0.0

References

https://www.mail-archive.com/server-user%40james.apache.o...

mailing-listx_refsource_MLIST

http://www.securityfocus.com/bid/101532

vdb-entryx_refsource_BID

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 20, 2017
Vulnerability Reserved
Aug 7, 2017