CVE-2023-51518

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally. We recommend users to: - Upgrade to a non-vulnerable Apache James version - Run Apache James isolated from other processes (docker - dedicated virtual machine) - If possible turn off JMX

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or	Vendor Advisory Mailing List
https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or	Vendor Advisory Mailing List

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:james:3.7.5:::::::*
	cpe:2.3:a:apache:james:3.8.0:::::::*

History

05 May 2025, 21:01

Type	Values Removed	Values Added
First Time		Apache Apache james
CPE		cpe:2.3:a:apache:james:3.7.5:::::::* cpe:2.3:a:apache:james:3.8.0:::::::*
References	~~() https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or -~~	() https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or - Vendor Advisory, Mailing List

21 Nov 2024, 08:38

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or -~~	() https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or -

22 Aug 2024, 21:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

27 Feb 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-27 09:15

Updated : 2025-05-05 21:01

NVD link : CVE-2023-51518

Mitre link : CVE-2023-51518

CVE.ORG link : CVE-2023-51518

JSON object : View

Products Affected

apache

james

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2023-51518", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-02-27T09:15:36.983", "references": [{"url": "https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or", "tags": ["Vendor Advisory", "Mailing List"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or", "tags": ["Vendor Advisory", "Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.\nGiven a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.\nNote that by default JMX endpoint is only bound locally.\n\nWe recommend users to:\n\u00a0- Upgrade to a non-vulnerable Apache James version\n\n\u00a0- Run Apache James isolated from other processes (docker - dedicated virtual machine)\n\u00a0- If possible turn off JMX\n\n"}, {"lang": "es", "value": "Apache James anterior a las versiones 3.7.5 y 3.8.0 expone un endpoint JMX en localhost sujeto a deserializaci\u00f3n previa a la autenticaci\u00f3n de datos que no son de confianza. Dado un dispositivo de deserializaci\u00f3n, esto podr\u00eda aprovecharse como parte de una cadena de explotaci\u00f3n que podr\u00eda resultar en una escalada de privilegios. Tenga en cuenta que, de forma predeterminada, el endpoint JMX solo est\u00e1 vinculado localmente. Recomendamos a los usuarios: - Actualizar a una versi\u00f3n de Apache James no vulnerable - Ejecutar Apache James aislado de otros procesos (docker - m\u00e1quina virtual dedicada) - Si es posible, desactive JMX"}], "lastModified": "2025-05-05T21:01:52.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:james:3.7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40A5D89F-8F58-45CD-8AC6-9A6DCA6DEBF9"}, {"criteria": "cpe:2.3:a:apache:james:3.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "30D1AC70-87D6-4FA1-A995-14AB73002CD3"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}