Vulnerability Description
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | James Server | <= 3.0.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/101532Third Party AdvisoryVDB Entry
- https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html
- http://www.securityfocus.com/bid/101532Third Party AdvisoryVDB Entry
- https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html
FAQ
What is CVE-2017-12628?
CVE-2017-12628 is a vulnerability with a CVSS score of 7.8 (HIGH). The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX sock...
How severe is CVE-2017-12628?
CVE-2017-12628 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-12628?
Check the references section above for vendor advisories and patch information. Affected products include: Apache James Server.