Lucene search

[email protected]CVE-2023-29051

HistoryJan 08, 2024 - 9:15 a.m.

CVE-2023-29051

2024-01-0809:15:20

CWE-284

[email protected]

web.nvd.nist.gov

cve-2023-29051

oxmf templates

java api

unauthorized access

security vulnerability

exploit prevention

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

7.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.6%

JSON

User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects related to other users and contexts. We now make sure that the switch to disable user-generated templates by default works as intended and will remove the feature in future generations of the product. No publicly available exploits are known.

Affected configurations

NVD

Node

open-xchangeox_app_suiteRange<7.10.6

open-xchangeox_app_suiteMatch7.10.6-

open-xchangeox_app_suiteMatch7.10.6rev01

open-xchangeox_app_suiteMatch7.10.6rev02

open-xchangeox_app_suiteMatch7.10.6rev03

open-xchangeox_app_suiteMatch7.10.6rev04

open-xchangeox_app_suiteMatch7.10.6rev05

open-xchangeox_app_suiteMatch7.10.6rev06

open-xchangeox_app_suiteMatch7.10.6rev07

open-xchangeox_app_suiteMatch7.10.6rev08

open-xchangeox_app_suiteMatch7.10.6rev09

open-xchangeox_app_suiteMatch7.10.6rev10

open-xchangeox_app_suiteMatch7.10.6rev11

open-xchangeox_app_suiteMatch7.10.6rev12

open-xchangeox_app_suiteMatch7.10.6rev13

open-xchangeox_app_suiteMatch7.10.6rev14

open-xchangeox_app_suiteMatch7.10.6rev15

open-xchangeox_app_suiteMatch7.10.6rev16

open-xchangeox_app_suiteMatch7.10.6rev17

open-xchangeox_app_suiteMatch7.10.6rev18

open-xchangeox_app_suiteMatch7.10.6rev19

open-xchangeox_app_suiteMatch7.10.6rev20

open-xchangeox_app_suiteMatch7.10.6rev21

open-xchangeox_app_suiteMatch7.10.6rev22

open-xchangeox_app_suiteMatch7.10.6rev23

open-xchangeox_app_suiteMatch7.10.6rev24

open-xchangeox_app_suiteMatch7.10.6rev25

open-xchangeox_app_suiteMatch7.10.6rev26

open-xchangeox_app_suiteMatch7.10.6rev27

open-xchangeox_app_suiteMatch7.10.6rev28

open-xchangeox_app_suiteMatch7.10.6rev29

open-xchangeox_app_suiteMatch7.10.6rev30

open-xchangeox_app_suiteMatch7.10.6rev31

open-xchangeox_app_suiteMatch7.10.6rev32

open-xchangeox_app_suiteMatch7.10.6rev33

open-xchangeox_app_suiteMatch7.10.6rev34

open-xchangeox_app_suiteMatch7.10.6rev35

open-xchangeox_app_suiteMatch7.10.6rev36

open-xchangeox_app_suiteMatch7.10.6rev37

open-xchangeox_app_suiteMatch7.10.6rev50

open-xchangeox_app_suiteMatch8.17

CPENameOperatorVersion
open-xchange:ox_app_suiteopen-xchange ox app suitelt7.10.6
open-xchange:ox_app_suiteopen-xchange ox app suiteeq8.17

CPE	Name	Operator	Version
open-xchange:ox_app_suite	open-xchange ox app suite	lt	7.10.6
open-xchange:ox_app_suite	open-xchange ox app suite	eq	8.17

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "backend"
    ],
    "product": "OX App Suite",
    "vendor": "Open-Xchange GmbH",
    "versions": [
      {
        "lessThanOrEqual": "7.10.6-rev51",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.17",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

References

documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0006.json

software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6251_7.10.6_2023-09-25.pdf

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

7.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.6%

JSON

Related for CVE-2023-29051

cvelist1 osv1 prion1 nvd1