CVE-2023-26436 : Attackers with access to the "documentconverterws" API were able to inject seria

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known.

Published 2023-06-20 08:15:10

Updated 2024-01-12 08:15:41

Source Open-Xchange

View at NVD, CVE.org

Products affected by CVE-2023-26436

Open-xchange » Open-xchange Appsuite Backend
Versions before (<) 7.10.6
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite Backend » Version: 7.10.6
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite Backend » Version: 7.10.6 Update Revision 39
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-26436

EPSS FAQ

0.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 38 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-26436

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.8	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.1	HIGH	CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	0.5	6.0	Open-Xchange
Attack Vector: Physical Attack Complexity: High Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-26436

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: security@open-xchange.com (Secondary)
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-26436

http://seclists.org/fulldisclosure/2023/Jun/8

Full Disclosure: OXAS-ADV-2023-0002: OX App Suite Security Advisory
Mailing List;Third Party Advisory

CVEs referencing this url
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json

CVEs referencing this url
http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html

OX App Suite SSRF / Resource Consumption / Command Injection ≈ Packet Storm
Third Party Advisory;VDB Entry

CVEs referencing this url
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf

Release Notes

CVEs referencing this url
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json

Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-26436

Products affected by CVE-2023-26436

Exploit prediction scoring system (EPSS) score for CVE-2023-26436

CVSS scores for CVE-2023-26436

CWE ids for CVE-2023-26436

References for CVE-2023-26436