CVE-2023-26436

CVSS V2 None CVSS V3 None

Description

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known.

Overview

CVE ID
CVE-2023-26436

Assigner
OX

Vulnerability Status
PUBLISHED

Published Version
2023-06-20T07:52:02.018Z

Last Modified Date
2024-01-12T07:13:36.698Z

Weakness Enumerations

CWE	URL
CWE-94	http://cwe.mitre.org/data/definitions/94.html

References

Reference URL	Reference Tags
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf	release-notes
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json	vendor-advisory
http://seclists.org/fulldisclosure/2023/Jun/8
http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-26436
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26436

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 23:21:28				Added to TrackCVE