CVE-2023-26431

IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made. Attackers with access to user accounts could use this to bypass existing deny-list functionality and trigger requests to restricted network infrastructure to gain insight about topology and running services. We now respect possible IPV4-mapped IPv6 addresses when checking if contained in a deny-list. No publicly available exploits are known.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39:*:*:*:*:*:*

History

12 Jan 2024, 08:15

Type Values Removed Values Added
References
  • {'url': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json', 'name': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json', 'tags': ['Third Party Advisory'], 'refsource': 'MISC'}
  • () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json -

07 Jul 2023, 18:40

Type Values Removed Values Added
CPE cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39:*:*:*:*:*:*
References (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 - (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 - Mailing List, Third Party Advisory
References (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html - (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html - Third Party Advisory, VDB Entry
References (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf - (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf - Release Notes
References (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json - (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3
First Time Open-xchange
Open-xchange open-xchange Appsuite Backend
CWE CWE-918

22 Jun 2023, 15:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html -

22 Jun 2023, 00:15

Type Values Removed Values Added
References
  • (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 -

20 Jun 2023, 13:03

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-20 08:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-26431

Mitre link : CVE-2023-26431

CVE.ORG link : CVE-2023-26431


JSON object : View

Products Affected

open-xchange

  • open-xchange_appsuite_backend
CWE
CWE-918

Server-Side Request Forgery (SSRF)