CVE-2023-29050 — LDAP Injection in OX APP Suite

CWE-90 — LDAP Injection CWE-74 — Injection3 documents3 sources

Severity

9.6CRITICALNVD

CNA7.6

EPSS

0.1%

top 70.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Open-xchange OX APP Suite Open-xchange Gmbh OX APP Suite

Timeline

PublishedJan 8

Description

The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:HExploitability: 3.1 | Impact: 5.8

Affected Packages2 packages

▶NVDopen-xchange/ox_app_suite< 7.10.6+2

▶CVEListV5open-xchange_gmbh/ox_app_suite7.10.6-rev50+1

🔴Vulnerability Details

CVEList

CVE-2023-29050: The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the in↗2024-01-08

▶

GHSA

GHSA-4p4p-22cr-2gqw: The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the in↗2024-01-08

▶