LDAP Injection Vulnerability in Open-Xchange App Suite
CVE-2023-29050

7.6HIGH

Key Information:

Vendor: Open-xchange Gmbh
Status: Ox App Suite
Vendor: CVE Published:; 8 January 2024

🔔 Create Open-xchange Gmbh Vulnerability Alert

What is CVE-2023-29050?

The LDAP contacts provider in Open-Xchange App Suite contains a vulnerability that may be exploited by users with elevated privileges. This security flaw allows these users to inject LDAP filter strings, which can gain unauthorized access to data beyond the intended access hierarchy, potentially leading to information confidentiality breaches. Moreover, this can escalate to a situation where an excessive load is placed on the LDAP directory server, risking service availability and resulting in denial of service conditions. While mitigations, such as encoding for user-provided fragments used in LDAP query construction, have been implemented, it is critical for organizations using the affected product to ensure robust access controls to prevent potential exploitation.

Affected Version(s)

OX App Suite 0 <= 7.10.6-rev50

OX App Suite 0 <= 8.16

References

https://software.open-xchange.com/products/appsuite/doc/R...

release-notes

https://documentation.open-xchange.com/appsuite/security/...

vendor-advisory

http://seclists.org/fulldisclosure/2024/Jan/3

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 8, 2024
Vulnerability Reserved
Mar 30, 2023