IPv4-mapped IPv6 addresses did not get recognized as local by the code and a connection attempt is made. Attackers with access to user accounts could use this to bypass existing deny-list functionality and trigger requests to restricted network infrastructure to gain insight about topology and running services. We now respect possible IPV4-mapped IPv6 addresses when checking if contained in a deny-list. No publicly available exploits are known.
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Open-xchange_appsuite_backend | Open-xchange | * | 7.10.6 (excluding) |
| Open-xchange_appsuite_backend | Open-xchange | 8.0.0 (including) | 8.11.0 (excluding) |
| Open-xchange_appsuite_backend | Open-xchange | 7.10.6 (including) | 7.10.6 (including) |
| Open-xchange_appsuite_backend | Open-xchange | 7.10.6-revision_39 (including) | 7.10.6-revision_39 (including) |