Vulnerability Details : CVE-2023-29046
Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time. As a result users were able to trigger large amount of egress network connections, possibly exhausting network pool resources and lock up legitimate requests. A new mechanism has been introduced to cancel external connections that might access user-controlled endpoints. No publicly available exploits are known.
Products affected by CVE-2023-29046
- cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:-:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6069:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6073:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6080:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6085:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6093:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6102:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6112:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6121:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6133:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6138:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6141:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6146:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6147:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6148:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6150:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6156:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6161:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6166:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6173:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6176:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6178:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6189:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6194:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6199:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6205:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6204:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6209:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6210:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6214:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6215:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6216:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6218:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6219:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6220:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6227:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6230:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6233:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6235:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6236:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6239:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6241:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-29046
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 30 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-29046
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
2.8
|
1.4
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
2.8
|
1.4
|
Open-Xchange |
CWE ids for CVE-2023-29046
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by:
- nvd@nist.gov (Primary)
- security@open-xchange.com (Secondary)
References for CVE-2023-29046
-
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf
Release Notes;Vendor Advisory
-
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json
-
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json
Vendor Advisory
Jump to