CVE-2023-26269

CWE-862 — Missing Authorization5 documents4 sources

Severity

7.8HIGH

EPSS

1.0%

top 22.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache James Apache Software Foundation Apache James Server Ant-media Ant-media-server

Timeline

PublishedApr 3

Latest updateApr 22

Description

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5apache_software_foundation/apache_james_server3.7.3

▶NVDapache/james< 3.7.4

▶Mavenorg.apache.james:javax-mail-extension< 3.7.4

▶CVEListV5ant-media/ant-media-server>= 2.6.0, < 2.9.0

🔴Vulnerability Details

GHSA

Ant Media Server vulnerable to a local privilege escalation↗2024-04-22

▶

CVEList

Apache James server: Privilege escalation through unauthenticated JMX↗2023-04-03

▶

OSV

Apache James server's JMX management service vulnerable to privilege escalation by local user↗2023-04-03

▶

GHSA

Apache James server's JMX management service vulnerable to privilege escalation by local user↗2023-04-03

▶