CVE-2023-26438: SSRF
First published: Wed Aug 02 2023(Updated: )
External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Attackers that were timing DNS cache expiry correctly were able to inject configuration that would bypass existing network deny-lists. Attackers could exploit this weakness to discover the existence of restricted network infrastructure and service availability. Improvements were made to include deny-lists not only during the check of the provided connection data, but also during use. No publicly available exploits are known.
Credit: security@open-xchange.com security@open-xchange.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| =7.10.6 | ||
| =8.10.0 | ||
| Open-xchange Open-xchange Appsuite Backend | =7.10.6 | |
| Open-xchange Open-xchange Appsuite Backend | =8.10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
- http://seclists.org/fulldisclosure/2023/Aug/8
- http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html
- https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0003.json
Frequently Asked Questions
What is CVE-2023-26438?
CVE-2023-26438 is a vulnerability that affects Open-xchange Open-xchange Appsuite Backend versions 7.10.6 and 8.10.0.
What is the severity of CVE-2023-26438?
CVE-2023-26438 has a severity level of 3.1 (medium).
How does CVE-2023-26438 work?
CVE-2023-26438 is a time-of-check/time-of-use (TOCTOU) weakness that involves the JDK DNS cache. Attackers can exploit it to inject configuration that bypasses network deny-lists.
How can I fix CVE-2023-26438?
To fix CVE-2023-26438, you need to update to the patched versions mentioned in the release notes.
What are the references for CVE-2023-26438?
You can find more information about CVE-2023-26438 in the following references: [Link 1](https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0003.json), [Link 2](https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf), [Link 3](http://seclists.org/fulldisclosure/2023/Aug/8).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/nvd-latest
- vendor/open-xchange
- canonical/open-xchange open-xchange appsuite backend
- version/open-xchange open-xchange appsuite backend/7.10.6
- version/open-xchange open-xchange appsuite backend/8.10.0