CVE-2023-46730 - Vulnerability Details - OpenCVE

Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0019.

Key SSVC decision points have not yet been added.

Vendors	Products
Group-office	Group Office

Configuration 1 [-]

OR	cpe:2.3:a:group-office:group_office::::::::
	cpe:2.3:a:group-office:group_office::::::::
	cpe:2.3:a:group-office:group_office::::::::

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50
https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-07T17:35:36.332Z

Updated: 2024-09-04T15:56:13.023Z

Reserved: 2023-10-25T14:30:33.751Z

Link: CVE-2023-46730

Vulnrichment

Updated: 2024-08-02T20:53:21.013Z

NVD

Status : Modified

Published: 2023-11-07T18:15:08.973

Modified: 2024-11-21T08:29:10.773

Link: CVE-2023-46730

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46730", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-25T14:30:33.751Z", "datePublished": "2023-11-07T17:35:36.332Z", "dateUpdated": "2024-09-04T15:56:13.023Z"}, "containers": {"cna": {"title": "Server-Side Request Forgery in groupoffice ", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv"}, {"name": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50", "tags": ["x_refsource_MISC"], "url": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50"}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"version": ">= 6.3.0, < 6.6.177", "status": "affected"}, {"version": ">= 6.7.0, < 6.7.54", "status": "affected"}, {"version": ">= 6.8.0, < 6.8.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-07T17:35:36.332Z"}, "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-vw6c-h82w-mvfv", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.013Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv"}, {"name": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50"}]}, {"affected": [{"vendor": "intermesh", "product": "group-office", "cpes": ["cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.30", "status": "affected", "lessThan": "6.6.177", "versionType": "custom"}, {"version": "6.70", "status": "affected", "lessThan": "6.7.54", "versionType": "custom"}, {"version": "6.80", "status": "affected", "lessThan": "6.8.15", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T15:52:27.981201Z", "id": "CVE-2023-46730", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:56:13.023Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv", "name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50", "name": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.013Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-46730", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-04T15:52:27.981201Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*"], "vendor": "intermesh", "product": "group-office", "versions": [{"status": "affected", "version": "6.30", "lessThan": "6.6.177", "versionType": "custom"}, {"status": "affected", "version": "6.70", "lessThan": "6.7.54", "versionType": "custom"}, {"status": "affected", "version": "6.80", "lessThan": "6.8.15", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:56:03.552Z"}}], "cna": {"title": "Server-Side Request Forgery in groupoffice ", "source": {"advisory": "GHSA-vw6c-h82w-mvfv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"status": "affected", "version": ">= 6.3.0, < 6.6.177"}, {"status": "affected", "version": ">= 6.7.0, < 6.7.54"}, {"status": "affected", "version": ">= 6.8.0, < 6.8.15"}]}], "references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv", "name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50", "name": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-07T17:35:36.332Z"}}}, "cveMetadata": {"cveId": "CVE-2023-46730", "state": "PUBLISHED", "dateUpdated": "2024-09-04T15:56:13.023Z", "dateReserved": "2023-10-25T14:30:33.751Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-11-07T17:35:36.332Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "358DA8A0-B9ED-4A34-9137-FF09D7AFD94D", "versionEndExcluding": "6.6.177", "versionStartIncluding": "6.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C2230FE-1533-4B8A-9C5B-771DFBD0C492", "versionEndExcluding": "6.7.54", "versionStartIncluding": "6.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "84304CD1-C71F-481B-9C4A-16157206A677", "versionEndExcluding": "6.8.15", "versionStartIncluding": "6.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Group-Office es una herramienta de software colaborativo y CRM empresarial. En las versiones afectadas hay una vulnerabilidad completa de Server-Side Request Forgery (SSRF) en el endpoint /api/upload.php. El endpoint /api/upload.php no filtra las URL, lo que permite que un usuario malintencionado haga que el servidor realice solicitudes de recursos a dominios que no son de confianza. Tenga en cuenta que protocolos como file:// tambi\u00e9n se pueden utilizar para acceder al disco del servidor. El resultado de la solicitud (en caso de \u00e9xito) se puede recuperar usando /api/download.php. Este problema se solucion\u00f3 en las versiones 6.8.15, 6.7.54 y 6.6.177. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-46730", "lastModified": "2024-11-21T08:29:10.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-07T18:15:08.973", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}