Description
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library.
Remediation
References
http://www.securityfocus.com/bid/101532
https://www.mail-archive.com/server-user%40james.apache.org/msg15633.html
Related Vulnerabilities
CVE-2019-1003035 Vulnerability in maven package org.jenkins-ci.plugins:azure-vm-agents
CVE-2019-17495 Vulnerability in maven package io.springfox:springfox-swagger-ui
CVE-2018-14731 Vulnerability in npm package parcel-bundler
CVE-2020-26272 Vulnerability in npm package electron
CVE-2020-2322 Vulnerability in maven package io.jenkins.plugins:chaos-monkey