Home > Vulnerability Database > CVE-2023-26269

Mend.io Vulnerability Database

CVE-2023-26269

Good to know:

Date: April 3, 2023

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.

Language: Java

Severity Score

9.8

Related Resources (6)

Url: https://github.com/apache/james-project/commit/d3d738838634e1ccb6699e1af64f7e8c63b0bb84

Url: https://seclists.org/oss-sec/2023/q1/217

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26269

Url: https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs

Url: http://www.openwall.com/lists/oss-security/2023/04/18/3

Url: https://www.mend.io/vulnerability-database/CVE-2023-26269

Severity Score

9.8

Weakness Type (CWE)

Missing Authorization

CWE-862

Top Fix

Upgrade Version

Upgrade to version org.apache.james:james-server-spring-app:3.7.4, org.apache.james:james-server-guice-jmx:3.7.4

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-26269

Good to know:

Date: April 3, 2023

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?