CVE-2023-26431: SSRF
First published: Tue Jun 20 2023(Updated: )
IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made. Attackers with access to user accounts could use this to bypass existing deny-list functionality and trigger requests to restricted network infrastructure to gain insight about topology and running services. We now respect possible IPV4-mapped IPv6 addresses when checking if contained in a deny-list. No publicly available exploits are known.
Credit: security@open-xchange.com security@open-xchange.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <7.10.6 | ||
| >=8.0.0<8.11.0 | ||
| =7.10.6 | ||
| =7.10.6-revision_39 | ||
| Open-xchange Open-xchange Appsuite Backend | <7.10.6 | |
| Open-xchange Open-xchange Appsuite Backend | >=8.0.0<8.11.0 | |
| Open-xchange Open-xchange Appsuite Backend | =7.10.6 | |
| Open-xchange Open-xchange Appsuite Backend | =7.10.6-revision_39 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json
- http://seclists.org/fulldisclosure/2023/Jun/8
- http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html
- https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-26431.
What is the severity of CVE-2023-26431?
The severity of CVE-2023-26431 is medium with a CVSS score of 4.3.
Which software is affected by CVE-2023-26431?
Open-xchange Appsuite Backend versions up to 7.10.6 and versions 8.0.0 to 8.11.0 are affected by CVE-2023-26431.
How can attackers exploit CVE-2023-26431?
Attackers with access to user accounts can use CVE-2023-26431 to bypass deny-list functionality and trigger requests to restricted network infrastructure to gain insight about topology and run commands.
Where can I find more information about CVE-2023-26431?
More information about CVE-2023-26431 can be found in the following references: [Packet Storm Security](http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html), [SecLists Full Disclosure](http://seclists.org/fulldisclosure/2023/Jun/8), [Open-Xchange Documentation](https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- vendor/open-xchange
- canonical/open-xchange open-xchange appsuite backend
- version/open-xchange open-xchange appsuite backend/8.0.0
- version/open-xchange open-xchange appsuite backend/7.10.6
- version/open-xchange open-xchange appsuite backend/7.10.6-revision_39