Lucene search

[email protected]NVD:CVE-2023-26433

HistoryJun 20, 2023 - 8:15 a.m.

CVE-2023-26433

2023-06-2008:15:09

CWE-400

[email protected]

web.nvd.nist.gov

imap

mail account

rogue imap service

resource usage

service unavailability

cve-2023-26433

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

4.6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.0%

JSON

When adding an external mail account, processing of IMAP “capabilities” responses are not limited to plausible sizes. Attacker with access to a rogue IMAP service could trigger requests that lead to excessive resource usage and eventually service unavailability. We now limit accepted IMAP server response to reasonable length/size. No publicly available exploits are known.

Affected configurations

NVD

Node

open-xchangeopen-xchange_appsuite_backendRange<7.10.6

open-xchangeopen-xchange_appsuite_backendRange8.0.0–8.11.0

open-xchangeopen-xchange_appsuite_backendMatch7.10.6

open-xchangeopen-xchange_appsuite_backendMatch7.10.6revision_39

References

packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html

seclists.org/fulldisclosure/2023/Jun/8

documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json

software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

4.6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.0%

JSON

Related for NVD:CVE-2023-26433

cve1 prion1 cvelist1