CVE-2023-39022: 
Java vulnerability analysis and mitigation

A code injection vulnerability was discovered in oscore version 2.2.6 and below, specifically in the component com.opensymphony.util.EJBUtils.createStateless. The vulnerability was assigned CVE-2023-39022 and was disclosed on July 28, 2023. The vulnerability allows attackers to execute arbitrary commands through unchecked arguments (NVD, GitHub POC).

The vulnerability exists in the EJBUtils.createStateless method within the com.opensymphony.util.EJBUtils component. The method fails to properly validate input arguments, allowing attackers to pass malicious LDAP URLs that can lead to arbitrary command execution. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating the highest severity level (NVD).

Successful exploitation of this vulnerability can result in complete compromise of the affected system, allowing attackers to execute arbitrary code with the privileges of the application. The high CVSS score indicates that the vulnerability can lead to a complete loss of confidentiality, integrity, and availability of the system (NVD).

The recommended mitigation is to filter LDAP, RMI, and related protocols when using the lookup functionality. Organizations should upgrade to a version newer than 2.2.6 when available or implement input validation to prevent the use of dangerous protocols (GitHub POC).