Apache · Apache James · CVE-2023-51518
**Name of the Vulnerable Software and Affected Versions**
Apache James versions prior to 3.7.5 and 3.8.0
**Description**
The issue concerns the exposure of a JMX endpoint on localhost, which is subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadget, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default, the JMX endpoint is only bound locally.
**Recommendations**
- Upgrade to a non-vulnerable Apache James version
- Run Apache James isolated from other processes (docker - dedicated virtual machine)
- If possible, turn off JMX