CVE-2017-12628

Published: Oct 20, 2017Modified: May 13, 2026

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library.

Affected (1)

Products: Apache: James Server

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache James Server	Up to 3.0.0

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (4)

http://www.securityfocus.com/bid/101532

Source: security@apache.org

Third Party AdvisoryVDB Entry

https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html

Source: security@apache.org

http://www.securityfocus.com/bid/101532

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.