Lucene search

MitreCVE-2013-7140

HistoryJan 26, 2014 - 8:55 p.m.

CVE-2013-7140

2014-01-2620:55:05

mitre

web.nvd.nist.gov

cve-2013-7140

xml external entity

xxe

vulnerability

caldav interface

open-xchange

ox appsuite

remote authenticated users

sax builder

webdav interface

absolute path traversal

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

47.5%

JSON

XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks.

Affected configurations

Nvd

Node

open-xchangeopen-xchange_appsuiteRange≤7.4.1

open-xchangeopen-xchange_appsuiteMatch6.20.7

open-xchangeopen-xchange_appsuiteMatch6.22.0

open-xchangeopen-xchange_appsuiteMatch6.22.1

open-xchangeopen-xchange_appsuiteMatch7.0.1

open-xchangeopen-xchange_appsuiteMatch7.0.2

open-xchangeopen-xchange_appsuiteMatch7.2.0

open-xchangeopen-xchange_appsuiteMatch7.2.1

open-xchangeopen-xchange_appsuiteMatch7.2.2

open-xchangeopen-xchange_appsuiteMatch7.4.0

VendorProductVersionCPE
open-xchangeopen-xchange_appsuite*cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*
open-xchangeopen-xchange_appsuite6.20.7cpe:2.3:a:open-xchange:open-xchange_appsuite:6.20.7:*:*:*:*:*:*:*
open-xchangeopen-xchange_appsuite6.22.0cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.0:*:*:*:*:*:*:*
open-xchangeopen-xchange_appsuite6.22.1cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.1:*:*:*:*:*:*:*
open-xchangeopen-xchange_appsuite7.0.1cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.1:*:*:*:*:*:*:*
open-xchangeopen-xchange_appsuite7.0.2cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.2:*:*:*:*:*:*:*
open-xchangeopen-xchange_appsuite7.2.0cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.0:*:*:*:*:*:*:*
open-xchangeopen-xchange_appsuite7.2.1cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.1:*:*:*:*:*:*:*
open-xchangeopen-xchange_appsuite7.2.2cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.2:*:*:*:*:*:*:*
open-xchangeopen-xchange_appsuite7.4.0cpe:2.3:a:open-xchange:open-xchange_appsuite:7.4.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
open-xchange	open-xchange_appsuite	*	cpe:2.3:a:open-xchange:open-xchange_appsuite::::::::
open-xchange	open-xchange_appsuite	6.20.7	cpe:2.3:a:open-xchange:open-xchange_appsuite:6.20.7:::::::*
open-xchange	open-xchange_appsuite	6.22.0	cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.0:::::::*
open-xchange	open-xchange_appsuite	6.22.1	cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.1:::::::*
open-xchange	open-xchange_appsuite	7.0.1	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.1:::::::*
open-xchange	open-xchange_appsuite	7.0.2	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.2:::::::*
open-xchange	open-xchange_appsuite	7.2.0	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.0:::::::*
open-xchange	open-xchange_appsuite	7.2.1	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.1:::::::*
open-xchange	open-xchange_appsuite	7.2.2	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.2:::::::*
open-xchange	open-xchange_appsuite	7.4.0	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.4.0:::::::*

References

seclists.org/bugtraq/2014/Jan/57

www.osvdb.org/102194

www.securityfocus.com/bid/65015

www.securitytracker.com/id/1029650

exchange.xforce.ibmcloud.com/vulnerabilities/90543

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

47.5%

JSON

Related for CVE-2013-7140