'[oss-security] CVE-2023-26269: Apache James server: Privilege escalation through unauthenticated JMX'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-26269: Apache James server: Privilege escalation through unauthenticated JMX
From:       Benoit Tellier <btellier () apache ! org>
Date:       2023-03-31 5:28:03
Message-ID: b25b13ef-81bb-4d59-930d-a566659f8b2f () apache ! org
[Download RAW message or body]

Severity: moderate

Description:

Apache James server version 3.7.3 and earlier provides a JMX management service without \
authentication by default. This allows privilege escalation by a  malicious local user.

Administrators are advised to disable JMX, or set up a JMX password.

Work Arounds:

Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.

Credit:

Matei "Mal" Badanoiu (reporter)

References:

https://james.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-26269

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic