LDAP Filter Injection via LDAP Contacts Provider in Microsoft Skype for Business
CVE-2023-29050 Published on January 8, 2024
The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known.
Vulnerability Analysis
CVE-2023-29050 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a small impact on availability.
Weakness Type
What is a LDAP Injection Vulnerability?
The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
CVE-2023-29050 has been classified to as a LDAP Injection vulnerability or weakness.
Products Associated with CVE-2023-29050
stack.watch emails you whenever new vulnerabilities are published in Open Xchange Ox App Suite or Microsoft Skype For Business Server. Just hit a watch button to start following.
Affected Versions
Open-Xchange GmbH OX App Suite:- Before and including 7.10.6-rev50 is affected.
- Before and including 8.16 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.