Apache James Vulnerability: Deserialization of Untrusted Data Could Lead to Privilege Escalation

CVE-2023-51518

Currently unrated 🤨

Key Information

Vendor
Apache
Status
Apache James Server
Vendor
CVE Published:
27 February 2024

Badges

👾 Exploit Exists

Summary

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally.

We recommend users to:  - Upgrade to a non-vulnerable Apache James version

 - Run Apache James isolated from other processes (docker - dedicated virtual machine)  - If possible turn off JMX

Affected Version(s)

Apache James server <= 3.7.4

Apache James server <= 3.8.0

References

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database0 Proof of Concept(s)

Credit

Mal Aware
Arnout Engelen
.