CVE-2023-26433

When adding an external mail account, processing of IMAP "capabilities" responses are not limited to plausible sizes. Attacker with access to a rogue IMAP service could trigger requests that lead to excessive resource usage and eventually service unavailability. We now limit accepted IMAP server response to reasonable length/size. No publicly available exploits are known.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39:*:*:*:*:*:*

History

12 Jan 2024, 08:15

Type Values Removed Values Added
References
  • {'url': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json', 'name': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json', 'tags': ['Third Party Advisory'], 'refsource': 'MISC'}
  • () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json -

06 Jul 2023, 15:02

Type Values Removed Values Added
References (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 - (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 - Mailing List, Third Party Advisory
References (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html - (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html - Third Party Advisory, VDB Entry
References (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf - (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf - Release Notes
References (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json - (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json - Third Party Advisory
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3
First Time Open-xchange
Open-xchange open-xchange Appsuite Backend
CPE cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39:*:*:*:*:*:*

22 Jun 2023, 15:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html -

22 Jun 2023, 00:15

Type Values Removed Values Added
References
  • (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 -

20 Jun 2023, 13:03

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-20 08:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-26433

Mitre link : CVE-2023-26433

CVE.ORG link : CVE-2023-26433


JSON object : View

Products Affected

open-xchange

  • open-xchange_appsuite_backend
CWE
NVD-CWE-noinfo CWE-400

Uncontrolled Resource Consumption