CVE-2023-29046
Vulnerability from cvelistv5
Published
2023-11-02 13:01
Modified
2024-08-02 14:00
Severity ?
EPSS score ?
Summary
Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time. As a result users were able to trigger large amount of egress network connections, possibly exhausting network pool resources and lock up legitimate requests. A new mechanism has been introduced to cancel external connections that might access user-controlled endpoints. No publicly available exploits are known.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
OX Software GmbH | OX App Suite |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T14:00:14.609Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "release-notes", "x_transferred" ], "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf" }, { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ "backend" ], "product": "OX App Suite", "vendor": "OX Software GmbH", "versions": [ { "lessThanOrEqual": "7.10.6-rev48", "status": "affected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "8.11", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eConnections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time. As a result users were able to trigger large amount of egress network connections, possibly exhausting network pool resources and lock up legitimate requests. A new mechanism has been introduced to cancel external connections that might access user-controlled endpoints. No publicly available exploits are known.\u003c/p\u003e" } ], "value": "Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time. As a result users were able to trigger large amount of egress network connections, possibly exhausting network pool resources and lock up legitimate requests. A new mechanism has been introduced to cancel external connections that might access user-controlled endpoints. No publicly available exploits are known.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-12T07:08:22.530Z", "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX" }, "references": [ { "tags": [ "release-notes" ], "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf" }, { "tags": [ "vendor-advisory" ], "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json" } ], "source": { "defect": [ "MWB-1982" ], "discovery": "INTERNAL" }, "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "assignerShortName": "OX", "cveId": "CVE-2023-29046", "datePublished": "2023-11-02T13:01:39.521Z", "dateReserved": "2023-03-30T09:34:25.188Z", "dateUpdated": "2024-08-02T14:00:14.609Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2023-29046\",\"sourceIdentifier\":\"security@open-xchange.com\",\"published\":\"2023-11-02T14:15:11.217\",\"lastModified\":\"2024-01-12T07:15:09.733\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time. As a result users were able to trigger large amount of egress network connections, possibly exhausting network pool resources and lock up legitimate requests. A new mechanism has been introduced to cancel external connections that might access user-controlled endpoints. No publicly available exploits are known.\\n\\n\"},{\"lang\":\"es\",\"value\":\"Las conexiones a fuentes de datos externas, como la configuraci\u00f3n autom\u00e1tica de correo electr\u00f3nico, no finalizaban en caso de que se agotara el tiempo de espera, sino que esas conexiones se registraban. Algunas conexiones utilizan endpoints controlados por el usuario, que podr\u00edan ser maliciosos e intentar mantener la conexi\u00f3n abierta durante un per\u00edodo prolongado. Como resultado, los usuarios pudieron activar una gran cantidad de conexiones de red de salida, lo que posiblemente agot\u00f3 los recursos del grupo de redes y bloque\u00f3 solicitudes leg\u00edtimas. Se ha introducido un nuevo mecanismo para cancelar conexiones externas que podr\u00edan acceder a endpoints controlados por el usuario. No se conocen exploits disponibles p\u00fablicamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"security@open-xchange.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"security@open-xchange.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.10.6\",\"matchCriteriaId\":\"59D4F30E-2F52-4948-9C69-C57472833C79\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"A144D75D-60A8-4EE0-813C-F658C626B2AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6069:*:*:*:*:*:*\",\"matchCriteriaId\":\"2DA66230-DE02-4881-A893-E9E78286B157\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6073:*:*:*:*:*:*\",\"matchCriteriaId\":\"955F3DFB-6479-4867-B62A-82730DBEB498\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6080:*:*:*:*:*:*\",\"matchCriteriaId\":\"327D1B56-0D05-4D99-91D4-CC1F0AC32972\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6085:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0CD0684-C431-47F8-A2F4-1936D5C5A72B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6093:*:*:*:*:*:*\",\"matchCriteriaId\":\"EAA6A4A7-C1EE-4716-9F4D-2FF4C4D5FEC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6102:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0968764-CCEE-47A7-9111-E106D887DA43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6112:*:*:*:*:*:*\",\"matchCriteriaId\":\"16589FBB-F0CD-4041-8141-5C89FCCA72AF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6121:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CB877EE-A5FE-4FF7-9D21-5C1CFA7343D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6133:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DF5FB90-8D6D-4F99-B454-411B1DFFA630\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6138:*:*:*:*:*:*\",\"matchCriteriaId\":\"F58876B9-6C2E-4048-A793-B441A84E86F5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6141:*:*:*:*:*:*\",\"matchCriteriaId\":\"D5F177CB-CC45-45A0-9D02-C14A13ECC7A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6146:*:*:*:*:*:*\",\"matchCriteriaId\":\"A89A4192-54E9-4899-8C7B-6C7F7E650D5C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6147:*:*:*:*:*:*\",\"matchCriteriaId\":\"F2DC1357-9CD5-415F-A190-2F3F4498EF96\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6148:*:*:*:*:*:*\",\"matchCriteriaId\":\"D78ACF64-2802-44DD-AF7A-1BD5EA7F9908\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6150:*:*:*:*:*:*\",\"matchCriteriaId\":\"E8F675FA-1684-413A-B1BE-1C5434AC2862\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6156:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3F1FDC3-35B2-4BDB-A685-75BC72588179\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6161:*:*:*:*:*:*\",\"matchCriteriaId\":\"5B1E509D-2F41-4296-86D2-6BD71783060F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6166:*:*:*:*:*:*\",\"matchCriteriaId\":\"AC93EA37-F341-45EC-B651-4F326FB8C613\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6173:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A4DB8A6-1702-462C-BFCB-39F91D2EFCE1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6176:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC0AEFDB-D033-47FC-93FC-8652F922BB8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6178:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5354768-6527-43C2-B492-A8C14AB4E784\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6189:*:*:*:*:*:*\",\"matchCriteriaId\":\"D83F26D1-B8C6-4114-81EC-810DD5412DC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6194:*:*:*:*:*:*\",\"matchCriteriaId\":\"E9EBC010-9963-4636-96F7-A121FCF755A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6199:*:*:*:*:*:*\",\"matchCriteriaId\":\"F626D64B-C301-4CD8-94B4-48689BD3F29C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6204:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E32810C-7B35-42F1-BCA5-E10C02BE2215\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6205:*:*:*:*:*:*\",\"matchCriteriaId\":\"6539D059-8614-4C26-93C4-C2DDCC5D35E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6209:*:*:*:*:*:*\",\"matchCriteriaId\":\"E359EE75-A2F9-479B-B757-CAE1064AB8F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6210:*:*:*:*:*:*\",\"matchCriteriaId\":\"0BCABDEF-D292-406E-B53C-AFF22484E916\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6214:*:*:*:*:*:*\",\"matchCriteriaId\":\"ABE8872C-B1DD-4A45-8EF8-E8C355CA6C54\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6215:*:*:*:*:*:*\",\"matchCriteriaId\":\"44B20B83-833A-4C68-8693-365BD046C157\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6216:*:*:*:*:*:*\",\"matchCriteriaId\":\"E254E6D1-D18E-4A2A-A2FF-7D03F39E65DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6218:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F0C5E53-4D15-425A-B4CF-5869353724BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6219:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F4BF5F1-F316-4BAC-83E0-DEAC8C50754E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6220:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CDD03A8-5B86-4B87-9C29-6C967261C5C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6227:*:*:*:*:*:*\",\"matchCriteriaId\":\"6071E15F-4D59-41DC-A4D4-7D1AA392A1F2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6230:*:*:*:*:*:*\",\"matchCriteriaId\":\"C72C1CEB-7BF7-4A5F-B2E9-397F86CCBF4E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6233:*:*:*:*:*:*\",\"matchCriteriaId\":\"5B0F0218-4224-4084-B38D-9719D3782C03\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6235:*:*:*:*:*:*\",\"matchCriteriaId\":\"BFC41329-1AD6-4575-A22D-977EC5539DA4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6236:*:*:*:*:*:*\",\"matchCriteriaId\":\"217A06B7-0823-4508-BC0C-AD792BA88F7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6239:*:*:*:*:*:*\",\"matchCriteriaId\":\"246E98B2-A6C8-4410-AA6A-7E81EE8C5E76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6241:*:*:*:*:*:*\",\"matchCriteriaId\":\"74D1EC02-D009-45DA-B1EC-2219E0F0183C\"}]}]}],\"references\":[{\"url\":\"https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json\",\"source\":\"security@open-xchange.com\"},{\"url\":\"https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf\",\"source\":\"security@open-xchange.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.