CVE-2015-7611

HIGH

Apache James Server 2.3.2 - RCE

Title source: llm

Description

Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/48130

View Code ZIP pw:eip

metasploit WORKING POC NORMAL

by Palaczynski Jakub, Matthew Aberegg, Michael Burkey · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/smtp/apache_james_exec.rb

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/133798/Apache-James-Server-2.3.2-Arbitrary-Command-Execution.html

[Vendor Advisory] https://blogs.apache.org/james/entry/apache_james_server_2_3

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/536575/100/0/threaded

[Mailing List] http://www.openwall.com/lists/oss-security/2015/09/30/7

[Mailing List] http://www.openwall.com/lists/oss-security/2015/10/01/2

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/156463/Apache-James-Server-2.3.2-Insecure-User-Creation-Arbitrary-File-Write.html

Scores

CVSS v3 8.1

EPSS 0.7492

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

apache/james_server 2.3.2

org.apache.james/james-server 0 - 2.3.2.1Maven

Published Jun 07, 2016

Tracked Since Feb 18, 2026