CVE-2023-29050

The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2024/Jan/3	Mailing List Third Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json	Issue Tracking
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:open-xchange:ox_app_suite::::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev24::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev25::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev26::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev27::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev28::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev29::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev30::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev31::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev32::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev33::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev34::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev35::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev36::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev37::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev50::::::
	cpe:2.3:a:open-xchange:ox_app_suite:8.16:::::::*

History

12 Jan 2024, 14:24

Type	Values Removed	Values Added
CPE		cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev35:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev37:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev33:::::: cpe:2.3:a:open-xchange:ox_app_suite:8.16:::::::* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev24:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev28:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev29:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev27:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev30:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21:::::: cpe:2.3:a:open-xchange:ox_app_suite:::::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev34:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev26:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev25:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev50:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev32:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev36:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev31::::::
First Time		Open-xchange Open-xchange ox App Suite
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.6
CWE		CWE-74
References	~~() https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json -~~	() https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json - Issue Tracking
References	~~() https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf -~~	() https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf - Release Notes
References	~~() http://seclists.org/fulldisclosure/2024/Jan/3 -~~	() http://seclists.org/fulldisclosure/2024/Jan/3 - Mailing List, Third Party Advisory
References	~~() http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html -~~	() http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html - Third Party Advisory, VDB Entry

12 Jan 2024, 07:15

Type	Values Removed	Values Added
References	{'url': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0005.json', 'name': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0005.json', 'tags': [], 'refsource': ''}	() https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json -

09 Jan 2024, 18:15

Type	Values Removed	Values Added
References		() http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html -

08 Jan 2024, 23:15

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2024/Jan/3 -

08 Jan 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-08 09:15

Updated : 2024-02-28 20:54

NVD link : CVE-2023-29050

Mitre link : CVE-2023-29050

CVE.ORG link : CVE-2023-29050

JSON object : View

Products Affected

open-xchange

ox_app_suite

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-90

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

9.6 /10