CVE-2023-26436

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39:*:*:*:*:*:*

History

21 Nov 2024, 07:51

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.8
v2 : unknown
v3 : 7.1
References () http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html - Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html - Third Party Advisory, VDB Entry
References () http://seclists.org/fulldisclosure/2023/Jun/8 - Mailing List, Third Party Advisory () http://seclists.org/fulldisclosure/2023/Jun/8 - Mailing List, Third Party Advisory
References () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json - () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json -
References () https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf - Release Notes () https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf - Release Notes

12 Jan 2024, 08:15

Type Values Removed Values Added
References
  • {'url': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json', 'name': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json', 'tags': ['Third Party Advisory'], 'refsource': 'MISC'}
  • () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json -

06 Jul 2023, 18:29

Type Values Removed Values Added
First Time Open-xchange
Open-xchange open-xchange Appsuite Backend
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39:*:*:*:*:*:*
CWE CWE-502
References (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 - (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 - Mailing List, Third Party Advisory
References (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html - (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html - Third Party Advisory, VDB Entry
References (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf - (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf - Release Notes
References (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json - (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json - Third Party Advisory

22 Jun 2023, 15:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html -

22 Jun 2023, 00:15

Type Values Removed Values Added
References
  • (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 -

20 Jun 2023, 13:03

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-20 08:15

Updated : 2024-11-21 07:51


NVD link : CVE-2023-26436

Mitre link : CVE-2023-26436

CVE.ORG link : CVE-2023-26436


JSON object : View

Products Affected

open-xchange

  • open-xchange_appsuite_backend
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-502

Deserialization of Untrusted Data