CVE-2023-26438

Summary

CVE	CVE-2023-26438
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-08-02 13:15:00 UTC
Updated	2024-01-12 08:15:00 UTC
Description	External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Attackers that were timing DNS cache expiry correctly were able to inject configuration that would bypass existing network deny-lists. Attackers could exploit this weakness to discover the existence of restricted network infrastructure and service availability. Improvements were made to include deny-lists not only during the check of the provided connection data, but also during use. No publicly available exploits are known.

Risk And Classification

Problem Types: CWE-918 | CWE-367

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Open-xchange	Open-xchange Appsuite Backend	7.10.6	All	All	All
Application	Open-xchange	Open-xchange Appsuite Backend	8.10.0	All	All	All

References

Reference	Source	Link	Tags
OX App Suite SSRF / SQL Injection / Cross Site Scripting ≈ Packet Storm	MISC	packetstormsecurity.com
documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json		documentation.open-xchange.com
documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0003.json	MISC	documentation.open-xchange.com
Full Disclosure: OXAS-ADV-2023-0003: OX App Suite Security Advisory	MISC	seclists.org
software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7....	MISC	software.open-xchange.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.