{"schema_version": "1.6.1", "id": "CVE-2023-51518", "summary": "Privilege escalation via JMX pre-authentication deserialisation", "details": "Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.\nGiven a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.\nNote that by default JMX endpoint is only bound locally.\n\nWe recommend users to:\n - Upgrade to a non-vulnerable Apache James version\n\n - Run Apache James isolated from other processes (docker - dedicated virtual machine)\n - If possible turn off JMX\n\n", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0"}, {"last_affected": "0"}]}, {"type": "SEMVER", "events": [{"introduced": "3.8"}, {"last_affected": "3.8"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or"}]}