CVE-2023-26436 — HIGH (7.1)

Q: How severe is CVE-2023-26436?

CVE-2023-26436 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-26436?

Check the references section above for vendor advisories and patch information. Affected products include: Open-Xchange Open-Xchange Appsuite Backend.

Vulnerability Description

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Open-Xchange	Open-Xchange Appsuite Backend	< 7.10.6

Related Weaknesses (CWE)

CWE-94 CWE-502

References

http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-ConsumptiThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2023/Jun/8Mailing ListThird Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/ox
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release Notes
http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-ConsumptiThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2023/Jun/8Mailing ListThird Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/ox
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release Notes

FAQ

What is CVE-2023-26436?

CVE-2023-26436 is a vulnerability with a CVSS score of 7.1 (HIGH). Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to ...

How severe is CVE-2023-26436?

CVE-2023-26436 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-26436?

Check the references section above for vendor advisories and patch information. Affected products include: Open-Xchange Open-Xchange Appsuite Backend.