{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T02:07:35.775","vulnerabilities":[{"cve":{"id":"CVE-2023-51518","sourceIdentifier":"security@apache.org","published":"2024-02-27T09:15:36.983","lastModified":"2025-05-05T21:01:52.963","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.\nGiven a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.\nNote that by default JMX endpoint is only bound locally.\n\nWe recommend users to:\n - Upgrade to a non-vulnerable Apache James version\n\n - Run Apache James isolated from other processes (docker - dedicated virtual machine)\n - If possible turn off JMX\n\n"},{"lang":"es","value":"Apache James anterior a las versiones 3.7.5 y 3.8.0 expone un endpoint JMX en localhost sujeto a deserialización previa a la autenticación de datos que no son de confianza. Dado un dispositivo de deserialización, esto podría aprovecharse como parte de una cadena de explotación que podría resultar en una escalada de privilegios. Tenga en cuenta que, de forma predeterminada, el endpoint JMX solo está vinculado localmente. Recomendamos a los usuarios: - Actualizar a una versión de Apache James no vulnerable - Ejecutar Apache James aislado de otros procesos (docker - máquina virtual dedicada) - Si es posible, desactive JMX"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:james:3.7.5:*:*:*:*:*:*:*","matchCriteriaId":"40A5D89F-8F58-45CD-8AC6-9A6DCA6DEBF9"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:james:3.8.0:*:*:*:*:*:*:*","matchCriteriaId":"30D1AC70-87D6-4FA1-A995-14AB73002CD3"}]}]}],"references":[{"url":"https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Vendor Advisory"]}]}}]}