CVE-2023-26438 - OpenCVE

External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Attackers that were timing DNS cache expiry correctly were able to inject configuration that would bypass existing network deny-lists. Attackers could exploit this weakness to discover the existence of restricted network infrastructure and service availability. Improvements were made to include deny-lists not only during the check of the provided connection data, but also during use. No publicly available exploits are known.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Open-xchange	Open-xchange Appsuite Backend

Configuration 1 [-]

OR	cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:8.10.0:::::::*

References

Link	Resource
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2023/Aug/8	Mailing List Third Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf	Release Notes

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: OX

Published: 2023-08-02T12:22:59.459Z

Updated: 2024-01-12T07:13:21.611Z

Reserved: 2023-02-22T20:42:56.090Z

Link: CVE-2023-26438

JSON object: View

NVD Information

Status : Modified

Published: 2023-08-02T13:15:10.323

Modified: 2024-01-12T08:15:41.150

Link: CVE-2023-26438

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-26438", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2023-02-22T20:42:56.090Z", "datePublished": "2023-08-02T12:22:59.459Z", "dateUpdated": "2024-01-12T07:13:21.611Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["backend"], "product": "OX App Suite", "vendor": "OX Software GmbH", "versions": [{"lessThanOrEqual": "7.10.6-rev42", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "8.10", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Attackers that were timing DNS cache expiry correctly were able to inject configuration that would bypass existing network deny-lists. Attackers could exploit this weakness to discover the existence of restricted network infrastructure and service availability. Improvements were made to include deny-lists not only during the check of the provided connection data, but also during use. No publicly available exploits are known.</p>"}], "value": "External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Attackers that were timing DNS cache expiry correctly were able to inject configuration that would bypass existing network deny-lists. Attackers could exploit this weakness to discover the existence of restricted network infrastructure and service availability. Improvements were made to include deny-lists not only during the check of the provided connection data, but also during use. No publicly available exploits are known.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2024-01-12T07:13:21.611Z"}, "references": [{"tags": ["release-notes"], "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf"}, {"tags": ["vendor-advisory"], "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json"}, {"url": "http://seclists.org/fulldisclosure/2023/Aug/8"}, {"url": "http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html"}], "source": {"defect": ["MWB-1877"], "discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*", "matchCriteriaId": "D41FD049-C028-4C6D-A9D7-9DD1820B2C5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:8.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "332D5572-4F7D-498F-9E01-F8555674B4B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Attackers that were timing DNS cache expiry correctly were able to inject configuration that would bypass existing network deny-lists. Attackers could exploit this weakness to discover the existence of restricted network infrastructure and service availability. Improvements were made to include deny-lists not only during the check of the provided connection data, but also during use. No publicly available exploits are known.\n\n"}, {"lang": "es", "value": "Las b\u00fasquedas de servicios externos para una serie de protocolos eran vulnerables a una debilidad de condici\u00f3n de carrera de tiempo de comprobaci\u00f3n/tiempo de uso (TOCTOU), que afectaba a JDK DNS Cache. Los atacantes que sincronizaban correctamente la expiraci\u00f3n de la cach\u00e9 DNS pod\u00edan inyectar una configuraci\u00f3n que elud\u00eda las listas de denegaci\u00f3n de red existentes. Los atacantes pod\u00edan explotar esta debilidad para descubrir la existencia de una infraestructura de red restringida y la disponibilidad del servicio. Se introdujeron mejoras para incluir de denegaci\u00f3n no s\u00f3lo durante la comprobaci\u00f3n de los datos de conexi\u00f3n proporcionados, sino tambi\u00e9n durante el uso. No se conocen exploits disponibles p\u00fablicamente. "}], "id": "CVE-2023-26438", "lastModified": "2024-01-12T08:15:41.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2023-08-02T13:15:10.323", "references": [{"source": "security@open-xchange.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html"}, {"source": "security@open-xchange.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2023/Aug/8"}, {"source": "security@open-xchange.com", "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json"}, {"source": "security@open-xchange.com", "tags": ["Release Notes"], "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}, {"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@open-xchange.com", "type": "Secondary"}]}