Home > Vulnerability Database > CVE-2023-51518

Mend.io Vulnerability Database

CVE-2023-51518

Good to know:

Date: February 27, 2024

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally. We recommend users to: - Upgrade to a non-vulnerable Apache James version - Run Apache James isolated from other processes (docker - dedicated virtual machine) - If possible turn off JMX

Language: Java

Severity Score

5.9

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-51518

Url: https://seclists.org/oss-sec/2024/q1/161

Url: https://github.com/apache/james-project/commit/59bf9b9cdfaabbeb1de6971ce0bbbe230c9f8b36

Url: https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or

Url: https://www.mend.io/vulnerability-database/CVE-2023-51518

Severity Score

5.9

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

Upgrade Version

Upgrade to version org.apache.james:james-server-cli:3.7.5,3.8.1, org.apache.james:james-server-guice-jmx:3.7.5,3.8.1

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-51518

Good to know:

Date: February 27, 2024

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?