Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2023/Jun/8 | Mailing List Third Party Advisory |
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json | |
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf | Release Notes |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: OX
Published: 2023-06-20T07:52:02.018Z
Updated: 2024-01-12T07:13:36.698Z
Reserved: 2023-02-22T20:42:56.090Z
Link: CVE-2023-26436
JSON object: View
NVD Information
Status : Modified
Published: 2023-06-20T08:15:09.607
Modified: 2024-01-12T08:15:41.010
Link: CVE-2023-26436
JSON object: View
Redhat Information
No data.