Vulnerability Description
Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time. As a result users were able to trigger large amount of egress network connections, possibly exhausting network pool resources and lock up legitimate requests. A new mechanism has been introduced to cancel external connections that might access user-controlled endpoints. No publicly available exploits are known.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open-Xchange | Open-Xchange Appsuite | < 7.10.6 |
Related Weaknesses (CWE)
References
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/ox
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release NotesVendor Advisory
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/ox
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release NotesVendor Advisory
FAQ
What is CVE-2023-29046?
CVE-2023-29046 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoin...
How severe is CVE-2023-29046?
CVE-2023-29046 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-29046?
Check the references section above for vendor advisories and patch information. Affected products include: Open-Xchange Open-Xchange Appsuite.