Apache James server's JMX management service vulnerable to privilege escalation by local user
High severity
GitHub Reviewed
Published
Apr 3, 2023
to the GitHub Advisory Database
•
Updated Apr 18, 2023
Package
Affected versions
< 3.7.4
Patched versions
3.7.4
Description
Published by the National Vulnerability Database
Apr 3, 2023
Published to the GitHub Advisory Database
Apr 3, 2023
Reviewed
Apr 3, 2023
Last updated
Apr 18, 2023
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.
References