Details of VAR-202402-3105

ID

VAR-202402-3105

CVE

CVE-2023-51518

TITLE

Apache Software Foundation of Apache James Untrusted Data Deserialization Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-028842

DESCRIPTION

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally. We recommend users to: - Upgrade to a non-vulnerable Apache James version - Run Apache James isolated from other processes (docker - dedicated virtual machine) - If possible turn off JMX . Apache Software Foundation of Apache James There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2023-51518 // JVNDB: JVNDB-2023-028842

AFFECTED PRODUCTS

vendor:	apache	model:	james	scope:	eq	version:	3.8.0	Trust: 1.8
vendor:	apache	model:	james	scope:	eq	version:	3.7.5	Trust: 1.8
vendor:	apache	model:	james	scope:	eq	version:	-	Trust: 0.8
vendor:	apache	model:	james	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-028842 // NVD: CVE-2023-51518

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2023-51518
value:	CRITICAL
Trust: 1.0
OTHER:	JVNDB-2023-028842
value:	CRITICAL
Trust: 0.8

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2023-51518
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2023-028842
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-028842 // NVD: CVE-2023-51518

PROBLEMTYPE DATA

problemtype:	CWE-502	Trust: 1.0
problemtype:	Deserialization of untrusted data (CWE-502) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-028842 // NVD: CVE-2023-51518

EXTERNAL IDS

db:	NVD	id:	CVE-2023-51518	Trust: 2.6
db:	JVNDB	id:	JVNDB-2023-028842	Trust: 0.8

sources: JVNDB: JVNDB-2023-028842 // NVD: CVE-2023-51518

REFERENCES

url:	https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-51518	Trust: 0.8

sources: JVNDB: JVNDB-2023-028842 // NVD: CVE-2023-51518

SOURCES

db:	JVNDB	id:	JVNDB-2023-028842
db:	NVD	id:	CVE-2023-51518

LAST UPDATE DATE

2025-05-09T03:23:25.838000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2023-028842	date:	2025-05-07T02:38:00
db:	NVD	id:	CVE-2023-51518	date:	2025-05-05T21:01:52.963

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2023-028842	date:	2025-05-07T00:00:00
db:	NVD	id:	CVE-2023-51518	date:	2024-02-27T09:15:36.983