Login Sign Up

CVE-2023-39022

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-39022 is a critical code injection vulnerability in oscore v2.2.6 and earlier that allows remote attackers to execute arbitrary code by passing unchecked arguments to the createStateless method. This affects any application using the vulnerable opensymphony oscore library. Attackers can achieve remote code execution with high privileges.

💻 Affected Systems

Products:
  • opensymphony oscore
Versions: v2.2.6 and all earlier versions
Operating Systems: All operating systems running Java applications
Default Config Vulnerable: ⚠️ Yes
Notes: Any Java application using the vulnerable oscore library is affected regardless of configuration.

📦 What is this software?

Oscore by Oscore

View all CVEs affecting Oscore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, ransomware deployment, or lateral movement across the network.

🟠

Likely Case

Remote code execution allowing attackers to install backdoors, steal sensitive data, or use the system as a foothold for further attacks.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires passing malicious input to the vulnerable method, which can be done remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.2.7 or later

Vendor Advisory: https://github.com/opensymphony/oscore

Restart Required: Yes

Instructions:

1. Update oscore dependency to version 2.2.7 or later in your project's build configuration (pom.xml for Maven, build.gradle for Gradle). 2. Rebuild and redeploy your application. 3. Restart the application server.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Implement strict input validation for all parameters passed to EJBUtils.createStateless method

Implement custom validation layer that sanitizes all inputs before passing to vulnerable method

🧯 If You Can't Patch

  • Implement network segmentation to isolate affected systems from critical assets
  • Deploy web application firewall (WAF) with rules to detect and block code injection attempts

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency management file (pom.xml, build.gradle) for oscore version 2.2.6 or earlier

Check Version:

mvn dependency:tree | grep oscore (for Maven) or gradle dependencies | grep oscore (for Gradle)

Verify Fix Applied:

Verify oscore version is 2.2.7 or later in your dependency files and rebuilt application

📡 Detection & Monitoring

Log Indicators:

  • Unusual Java class loading, suspicious process creation from Java applications, unexpected network connections from Java processes

Network Indicators:

  • Unusual outbound connections from application servers, unexpected payloads in HTTP requests to application endpoints

SIEM Query:

source="application.logs" AND ("EJBUtils.createStateless" OR "oscore" AND "ClassLoader")

📊 Metadata

CVE ID: CVE-2023-39022
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: July 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39022, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)