Description
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.
Remediation
References
https://lists.apache.org/thread/2z44rg93pflbjhvbwy3xtz505bx41cbs
http://www.openwall.com/lists/oss-security/2023/04/18/3
Related Vulnerabilities
CVE-2019-10348 Vulnerability in maven package org.jenkins-ci.plugins:gogs-webhook
CVE-2019-16557 Vulnerability in maven package com.redgate.plugins.redgatesqlci:redgate-sql-ci
CVE-2018-15531 Vulnerability in maven package net.bull.javamelody:javamelody-core
CVE-2017-5638 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2020-36180 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind