CVE-2023-26441 — Sensitive Information Exposure in Appsuite Office

CWE-200 — Sensitive Information Exposure CWE-22 — Path Traversal3 documents3 sources

Severity

5.5MEDIUMNVD

CNA5.7

EPSS

0.0%

top 89.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Open-xchange Appsuite Office OX Software Gmbh OX APP Suite

Timeline

PublishedAug 2

Description

Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are accessible by the services system user account. We have improved path validation and make sure that any access is contained to the defined root directory. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDopen-xchange/open-xchange_appsuite_office< 8.11

▶CVEListV5ox_software_gmbh/ox_app_suite8.10

🔴Vulnerability Details

CVEList

CVE-2023-26441: Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources↗2023-08-02

▶

GHSA

GHSA-xq7r-2vx2-8jgj: Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources↗2023-08-02

▶