CVE-2023-26269

Summary

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user.

Administrators are advised to disable JMX, or set up a JMX password.

Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache James server0 <= 3.7.3affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References