CVE-2023-51518: Apache James server: Privilege escalation via JMX pre-authentication deserialization

February 27, 2024

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally.

We recommend users to: - Upgrade to a non-vulnerable Apache James version

- Run Apache James isolated from other processes (docker - dedicated virtual machine) - If possible turn off JMX

References

github.com/advisories/GHSA-px7w-c9gw-7gj3
lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or
nvd.nist.gov/vuln/detail/CVE-2023-51518

Detect and mitigate CVE-2023-51518 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →