CVE-2022-24405
Published: 27 July 2022
Summary
CVE-2022-24405 is a critical-severity OS Command Injection (CWE-78) vulnerability in Open-Xchange Ox App Suite. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
OX App Suite through version 7.10.6 contains an OS command injection vulnerability, CVE-2022-24405, that affects the Documentconverter API. The issue arises when the API processes a serialized Java class, enabling execution of arbitrary operating system commands and corresponding to CWE-78. The flaw received a CVSS 3.1 base score of 9.8.
An unauthenticated remote attacker can supply a crafted serialized object directly to the exposed API endpoint and obtain arbitrary command execution, resulting in full control over confidentiality, integrity, and availability on the affected system.
The associated EPSS score has remained flat at 0.08 with no material rise after disclosure. Public references point to open-xchange.com and the July 2022 Full Disclosure mailing list archive for further details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29297
Vulnerability details
OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.