CVE-2023-26427

Default permissions for a properties file were too permissive. Local system users could read potentially sensitive information. We updated the default permissions for noreply.properties set during package installation. No publicly available exploits are known.

CVSS v3 3.2 LOW

3.2^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.5 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2023/Jun/8	Mailing List Third Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf	Release Notes
http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2023/Jun/8	Mailing List Third Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:open-xchange:open-xchange_appsuite_backend::::::::
	cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39::::::

History

No history.

Information

Published : 2023-06-20 08:15

Updated : 2024-11-21 07:51

NVD link : CVE-2023-26427

Mitre link : CVE-2023-26427

CVE.ORG link : CVE-2023-26427

JSON object : View

Products Affected

open-xchange

open-xchange_appsuite_backend

CWE

CWE-922

Insecure Storage of Sensitive Information

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2023-26427", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@open-xchange.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.2, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2023-06-20T08:15:09.073", "references": [{"url": "http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@open-xchange.com"}, {"url": "http://seclists.org/fulldisclosure/2023/Jun/8", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@open-xchange.com"}, {"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json", "source": "security@open-xchange.com"}, {"url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf", "tags": ["Release Notes"], "source": "security@open-xchange.com"}, {"url": "http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://seclists.org/fulldisclosure/2023/Jun/8", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@open-xchange.com", "description": [{"lang": "en", "value": "CWE-922"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "Default permissions for a properties file were too permissive. Local system users could read potentially sensitive information. We updated the default permissions for noreply.properties set during package installation. No publicly available exploits are known.\n\n"}], "lastModified": "2024-11-21T07:51:24.863", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74EDAF14-4BF1-4E62-AA44-86090B6BEEFD", "versionEndExcluding": "7.10.6"}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D41FD049-C028-4C6D-A9D7-9DD1820B2C5F"}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B382924-49BE-43BF-B012-7F8F8A90CA6C"}], "operator": "OR"}]}], "sourceIdentifier": "security@open-xchange.com"}