CVE-2023-29050

The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known.

CVSS v3.0 9.6 CRITICAL

9.6^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf	Release Notes
http://seclists.org/fulldisclosure/2024/Jan/3	Mailing List Third Party Advisory
http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html	Third Party Advisory VDB Entry
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev24::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev25::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev26::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev27::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev28::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev29::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev30::::::
	cpe:2.3:a:open-xchange:ox_app_suite::::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev37::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev36::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev35::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev34::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev33::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev32::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev31::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev50::::::
	cpe:2.3:a:open-xchange:ox_app_suite:8.16:::::::*

Information

Published : 2024-01-08 09:15

Updated : 2024-01-12 14:24

NVD link : CVE-2023-29050

Mitre link : CVE-2023-29050

JSON object : View

Products Affected

open-xchange

ox_app_suite

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

9.6 /10