oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-26269: Apache James server: Privilege escalation through unauthenticated JMX

From: Benoit Tellier <btellier () apache org>
Date: Fri, 31 Mar 2023 05:28:03 +0000
Severity: moderate

Description:

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This 
allows privilege escalation by a 
malicious local user.

Administrators are advised to disable JMX, or set up a JMX password.

Work Arounds:

Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.

Credit:

Matei "Mal" Badanoiu (reporter)

References:

https://james.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-26269
Previous By Date Next
Previous By Thread Next

Current thread: