Java Deserialization in documentconverterws API (CVE-2023-26436)
CVE-2023-26436 Published on June 20, 2023
Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known.
Vulnerability Analysis
CVE-2023-26436 is exploitable with physical access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2023-26436 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2023-26436
Want to know whenever a new CVE is published for Open Xchange Appsuite Backend? stack.watch will email you.
Affected Versions
OX Software GmbH OX App Suite:- Before and including 7.10.6-rev7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.