https://github.com/mbadanoiu/cve-2023-51518

CVE-2023-51518: Preauthenticated Java Deserialization via JMX in Apache James
https://github.com/mbadanoiu/cve-2023-51518

0-day cve cve-2023-51518 cves deserialization local-privilege-escalation pre-authentication

Last synced: 2 days ago
JSON representation

CVE-2023-51518: Preauthenticated Java Deserialization via JMX in Apache James

• Host: GitHub
• URL: https://github.com/mbadanoiu/cve-2023-51518
• Owner: mbadanoiu
• Created: 2024-06-03T19:48:53.000Z (5 months ago)
• Default Branch: main
• Last Pushed: 2024-06-03T20:09:42.000Z (5 months ago)
• Last Synced: 2024-06-04T00:01:26.285Z (5 months ago)
• Topics: 0-day, cve, cve-2023-51518, cves, deserialization, local-privilege-escalation, pre-authentication
• Homepage:
• Size: 300 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# CVE-2023-51518: Preauthenticated Java Deserialization via JMX in Apache James

Apache James distribution prior to release 3.7.5 and 3.8.1 allow privilege escalation via JMX pre-authentication deserialization. Given a deserialization gadget, this could be leveraged as part of an exploit chain that could result in privilege escalation.

Note: For Apache James servers running using Java versions <16, the [ysoserial](https://github.com/frohoff/ysoserial) "CommonsBeanutils1" gadget can be used to execute arbitrary system commands. For Java versions >=16, an alternative vector needs to be identified as explained in this [article](https://mogwailabs.de/en/blog/2023/04/look-mama-no-templatesimpl/).

### Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found [here](https://james.apache.org/server/feature-security.html).

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2023-51518/blob/main/Apache%20James%20-%20CVE-2023-51518.pdf).