CVE-2023-26269 — Vulnetix

CVE-2023-26269 PUBLISHED CVSS 7.800000190734863 HIGH

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.

EPSS 1.16% · 78.9th percentile

Risk Scores

CVSS v3.1

7.800000190734863

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

1.16%

78.9th percentile

Affected Products

Vendor	Product	Versions
Maven	org.apache.james:javax-mail-extension	0, 0, 0
apache	james	0, 0, 0
Apache Software Foundation	Apache James server	0, 0
apache	james_server	0, 0

Timeline

Apr 3, 2023 CVE Published
Apr 3, 2023 EPSS Score
May 11, 2023 EPSS Score
Jul 26, 2023 EPSS Score
Sep 2, 2023 EPSS Score
Oct 10, 2023 EPSS Score
Nov 17, 2023 EPSS Score
Feb 1, 2024 EPSS Score
Mar 10, 2024 EPSS Score
Apr 17, 2024 EPSS Score
May 25, 2024 EPSS Score
Aug 9, 2024 EPSS Score

References

https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs vendor-advisory
http://www.openwall.com/lists/oss-security/2023/04/18/3 url
https://nvd.nist.gov/vuln/detail/CVE-2023-26269 advisory
https://github.com/apache/james-project package

Open in Interactive Console →