CVE-2023-26438

External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Attackers that were timing DNS cache expiry correctly were able to inject configuration that would bypass existing network deny-lists. Attackers could exploit this weakness to discover the existence of restricted network infrastructure and service availability. Improvements were made to include deny-lists not only during the check of the provided connection data, but also during use. No publicly available exploits are known.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:8.10.0:*:*:*:*:*:*:*

History

21 Nov 2024, 07:51

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html - Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html - Third Party Advisory, VDB Entry
References () http://seclists.org/fulldisclosure/2023/Aug/8 - Mailing List, Third Party Advisory () http://seclists.org/fulldisclosure/2023/Aug/8 - Mailing List, Third Party Advisory
References () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json - () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json -
References () https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf - Release Notes () https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf - Release Notes
CVSS v2 : unknown
v3 : 3.1
v2 : unknown
v3 : 4.3

12 Jan 2024, 08:15

Type Values Removed Values Added
References
  • {'url': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0003.json', 'name': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0003.json', 'tags': ['Vendor Advisory'], 'refsource': 'MISC'}
  • () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json -

07 Aug 2023, 18:29

Type Values Removed Values Added
CWE CWE-367
CWE-918
First Time Open-xchange open-xchange Appsuite Backend
Open-xchange
References (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0003.json - (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0003.json - Vendor Advisory
References (MISC) http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html - (MISC) http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html - Third Party Advisory, VDB Entry
References (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf - (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf - Release Notes
References (MISC) http://seclists.org/fulldisclosure/2023/Aug/8 - (MISC) http://seclists.org/fulldisclosure/2023/Aug/8 - Mailing List, Third Party Advisory
CPE cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:8.10.0:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 3.1

03 Aug 2023, 16:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html -

02 Aug 2023, 20:15

Type Values Removed Values Added
References
  • (MISC) http://seclists.org/fulldisclosure/2023/Aug/8 -

02 Aug 2023, 13:30

Type Values Removed Values Added
New CVE

Information

Published : 2023-08-02 13:15

Updated : 2024-11-21 07:51


NVD link : CVE-2023-26438

Mitre link : CVE-2023-26438

CVE.ORG link : CVE-2023-26438


JSON object : View

Products Affected

open-xchange

  • open-xchange_appsuite_backend
CWE
CWE-918

Server-Side Request Forgery (SSRF)

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition