CVE-2023-30186: 
ONLYOFFICE DocumentServer vulnerability analysis and mitigation

A use after free issue was discovered in ONLYOFFICE DocumentServer versions 4.0.3 through 7.3.2. The vulnerability exists in the Docbuilder component which uses a v8 engine to execute JavaScript code inside the process. The vulnerability allows remote attackers to run arbitrary code via a crafted JavaScript file (Gist, NVD).

The vulnerability exists in the SaveAlloc and SaveReAlloc functions of the CNativeControl class. When a new v8::ArrayBuffer object is created using SaveAlloc and a data viewer is created for this buffer, the viewer's backing store points to the allocated mpSaveBinary. When SaveReAlloc is subsequently executed, it frees the previous heap chunk pointed to by mpSaveBinary and allocates a new one, but the data viewer's backing store still points to the freed memory location. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (NVD).

This vulnerability allows an attacker to manipulate the data viewer to leak or change the content of the freed heap chunk, potentially leading to arbitrary code execution. The vulnerability can be exploited remotely through the /docbuilder API route, though from version 7.2 onwards, an attacker needs to know the generated JWT token to communicate with /docbuilder (Gist).

The vulnerability has been patched in a commit that removes the vulnerable functionality from the DesktopEditor/doctrenderer/embed/jsc/jsc_NativeControl.mm file (Core Commit). Users should upgrade to a version containing this fix.