CVE-2017-12628

HIGH

Apache James Server < 3.0.0 - Insecure Deserialization

Title source: rule

Description

The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library.

References (2)

[Mailing List] https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/101532

Scores

CVSS v3 7.8

EPSS 0.0014

EPSS Percentile 34.1%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Affected Products (2)

apache/james_server < 3.0.0

org.apache.james/james-project < 3.0.1Maven

Timeline

Published Oct 20, 2017

Tracked Since Feb 18, 2026