CVE-2023-51518

Source
https://cve.org/CVERecord?id=CVE-2023-51518
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-51518.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-51518
Aliases
Published
2024-02-27T09:09:31.579Z
Modified
2026-07-15T01:48:56.611023647Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache James server: Privilege escalation via JMX pre-authentication deserialisation
Details

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally.

We recommend users to:  - Upgrade to a non-vulnerable Apache James version

 - Run Apache James isolated from other processes (docker - dedicated virtual machine)  - If possible turn off JMX

Database specific
{
    "cwe_ids": [
        "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/51xxx/CVE-2023-51518.json",
    "cna_assigner": "apache",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "3.7.4"
                },
                {
                    "introduced": "3.8"
                },
                {
                    "last_affected": "3.8.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/apache/james-project

Affected ranges

Type
GIT
Repo
https://github.com/apache/james-project
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:apache:james:3.7.5:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:james:3.8.0:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "3.7.5"
        },
        {
            "last_affected": "3.7.5"
        },
        {
            "introduced": "3.8.0"
        },
        {
            "last_affected": "3.8.0"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

3.*
3.7.5
3.8.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-51518.json"