OXAS-ADV-2024-0003
Vulnerability from csaf_ox - Published: 2024-04-24 00:00 - Updated: 2024-08-19 00:00Summary
OX App Suite Security Advisory OXAS-ADV-2024-0003
Severity
Medium
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects a Apache Commons Compress library shipped with OX App Suite.
5.5 (Medium)
Vendor Fix
Please deploy the provided updates and patch releases. We have updated the vulnerable library as a precaution to avoid potential exploitation.
Module savepoints could be abused to inject references to malicious code delivered through the same domain.
5.4 (Medium)
Vendor Fix
Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules.
JQuery third-party components with known vulnerabilities have been shipped.
6.1 (Medium)
Vendor Fix
Please deploy the provided updates and patch releases. The relevant components have been updated to mitigate potential exploitation.
References
{
"document": {
"aggregate_severity": {
"text": "MEDIUM"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"lang": "en-US",
"publisher": {
"category": "vendor",
"name": "Open-Xchange GmbH",
"namespace": "https://open-xchange.com/"
},
"references": [
{
"category": "external",
"summary": "Release Notes",
"url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf"
},
{
"category": "self",
"summary": "Canonical CSAF document",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0003.json"
},
{
"category": "self",
"summary": "Markdown representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2024/oxas-adv-2024-0003.md"
},
{
"category": "self",
"summary": "HTML representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0003.html"
},
{
"category": "self",
"summary": "Plain-text representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2024/oxas-adv-2024-0003.txt"
}
],
"title": "OX App Suite Security Advisory OXAS-ADV-2024-0003",
"tracking": {
"current_release_date": "2024-08-19T00:00:00+00:00",
"generator": {
"date": "2024-08-19T07:26:47+00:00",
"engine": {
"name": "OX CSAF",
"version": "1.0.0"
}
},
"id": "OXAS-ADV-2024-0003",
"initial_release_date": "2024-04-24T00:00:00+02:00",
"revision_history": [
{
"date": "2024-04-24T00:00:00+02:00",
"number": "1",
"summary": "Initial release"
},
{
"date": "2024-08-19T00:00:00+00:00",
"number": "2",
"summary": "Public release"
},
{
"date": "2024-08-19T00:00:00+00:00",
"number": "3",
"summary": "Public release"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "7.10.6-rev61",
"product": {
"name": "OX App Suite backend 7.10.6-rev61",
"product_id": "OXAS-BACKEND_7.10.6-rev61",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev61:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.22",
"product": {
"name": "OX App Suite backend 8.22",
"product_id": "OXAS-BACKEND_8.22",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.22:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "7.10.6-rev62",
"product": {
"name": "OX App Suite backend 7.10.6-rev62",
"product_id": "OXAS-BACKEND_7.10.6-rev62",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev62:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.23",
"product": {
"name": "OX App Suite backend 8.23",
"product_id": "OXAS-BACKEND_8.23",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.23:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "OX App Suite backend"
},
{
"branches": [
{
"category": "product_version",
"name": "7.10.6-rev42",
"product": {
"name": "OX App Suite frontend 7.10.6-rev42",
"product_id": "OXAS-FRONTEND_7.10.6-rev42",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev42:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "7.10.6-rev43",
"product": {
"name": "OX App Suite frontend 7.10.6-rev43",
"product_id": "OXAS-FRONTEND_7.10.6-rev43",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev43:*:*:*:*:*:*",
"x_generic_uris": [
{
"namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
"uri": "urn:open-xchange:app_suite:patch-id:6277"
}
]
}
}
}
],
"category": "product_name",
"name": "OX App Suite frontend"
}
],
"category": "vendor",
"name": "Open-Xchange GmbH"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-25710",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2024-03-01T16:15:20+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "MWB-2525"
}
],
"notes": [
{
"category": "description",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Apache Commons Compress. This issue affects a Apache Commons Compress library shipped with OX App Suite."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_7.10.6-rev62",
"OXAS-BACKEND_8.23"
],
"last_affected": [
"OXAS-BACKEND_7.10.6-rev61",
"OXAS-BACKEND_8.22"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2024-04-11T14:13:57+02:00",
"details": "Please deploy the provided updates and patch releases. We have updated the vulnerable library as a precaution to avoid potential exploitation.",
"product_ids": [
"OXAS-BACKEND_7.10.6-rev61",
"OXAS-BACKEND_8.22"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_7.10.6-rev61",
"OXAS-BACKEND_8.22"
]
}
],
"threats": [
{
"category": "impact",
"details": "The vulnerability can potentially be exploited through OX App Suite and affect availability of the service."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "Apache Commons Compress library is prone to a denial of service (DoS) vulnerability."
},
{
"cve": "CVE-2024-25582",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2024-01-30T08:49:22+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "OXUIB-2718"
}
],
"notes": [
{
"category": "description",
"text": "Module savepoints could be abused to inject references to malicious code delivered through the same domain."
}
],
"product_status": {
"first_fixed": [
"OXAS-FRONTEND_7.10.6-rev43"
],
"last_affected": [
"OXAS-FRONTEND_7.10.6-rev42"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2024-04-04T15:19:41+02:00",
"details": "Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules.",
"product_ids": [
"OXAS-FRONTEND_7.10.6-rev42"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-FRONTEND_7.10.6-rev42"
]
}
],
"threats": [
{
"category": "impact",
"details": "Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "XSS using arbitrary relative path to UI module"
},
{
"cve": "CVE-2021-41184",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2024-01-15T14:01:36+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "OXUIB-2699"
}
],
"notes": [
{
"category": "description",
"text": "JQuery third-party components with known vulnerabilities have been shipped."
}
],
"product_status": {
"first_fixed": [
"OXAS-FRONTEND_7.10.6-rev43"
],
"last_affected": [
"OXAS-FRONTEND_7.10.6-rev42"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-28T15:13:17+01:00",
"details": "Please deploy the provided updates and patch releases. The relevant components have been updated to mitigate potential exploitation.",
"product_ids": [
"OXAS-FRONTEND_7.10.6-rev42"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-FRONTEND_7.10.6-rev42"
]
}
],
"threats": [
{
"category": "impact",
"details": "This update serves as a preventive measure since no practical exploitation in the context of OX App Suite is feasible."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "Outdated jquery-ui shipped with 7.10.6"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…