Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors.
8.1CVSS
8.2AI Score
0.7EPSS
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Rel...
7.8CVSS
7.9AI Score
0.0004EPSS
Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.Note that by default JMX en...
9.8CVSS
6.6AI Score
0.0004EPSS