cnvd - cnvd-2016-07584

CNVD-2016-07584

Vulnerability from cnvd - Published: 2016-09-18

Title

Microsoft Exchange Server信息泄露漏洞（CNVD-2016-07584）

Description

Microsoft Exchange Server是美国微软（Microsoft）公司的一套电子邮件服务程序，它提供邮件存取、储存、转发，语音邮件，邮件过滤筛选等功能。 Microsoft Exchange Server中存在信息泄露漏洞。攻击者可借助分析电子邮件利用该漏洞发现Microsoft Outlook应用程序中所包含的机密用户信息。

Severity

中

Patch Name

Microsoft Exchange Server信息泄露漏洞（CNVD-2016-07584）的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： http://technet.microsoft.com/en-us/security/bulletin/MS16-108

Reference

http://www.securityfocus.com/bid/92806

Impacted products

Name
['Microsoft Exchange Server 2007 SP3', 'Microsoft Exchange Server 2013 SP1，Update 8', 'Microsoft Exchange Server 2013 Cumulative Update 12', 'Microsoft Exchange Server 2013 Cumulative Update 13', 'Microsoft Exchange Server 2016 Cumulative Update 1', 'Microsoft Exchange Server 2016 Cumulative Update 2', 'Microsoft Exchange Server 2010 SP3']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "92806"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-0138"
    }
  },
  "description": "Microsoft Exchange Server\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957\u7535\u5b50\u90ae\u4ef6\u670d\u52a1\u7a0b\u5e8f\uff0c\u5b83\u63d0\u4f9b\u90ae\u4ef6\u5b58\u53d6\u3001\u50a8\u5b58\u3001\u8f6c\u53d1\uff0c\u8bed\u97f3\u90ae\u4ef6\uff0c\u90ae\u4ef6\u8fc7\u6ee4\u7b5b\u9009\u7b49\u529f\u80fd\u3002\r\n\r\nMicrosoft Exchange Server\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u5206\u6790\u7535\u5b50\u90ae\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u53d1\u73b0Microsoft Outlook\u5e94\u7528\u7a0b\u5e8f\u4e2d\u6240\u5305\u542b\u7684\u673a\u5bc6\u7528\u6237\u4fe1\u606f\u3002",
  "discovererName": "Bassel Rachid of DH Corporation,Lucie Brochu.",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://technet.microsoft.com/en-us/security/bulletin/MS16-108",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-07584",
  "openTime": "2016-09-18",
  "patchDescription": "Microsoft Exchange Server\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957\u7535\u5b50\u90ae\u4ef6\u670d\u52a1\u7a0b\u5e8f\uff0c\u5b83\u63d0\u4f9b\u90ae\u4ef6\u5b58\u53d6\u3001\u50a8\u5b58\u3001\u8f6c\u53d1\uff0c\u8bed\u97f3\u90ae\u4ef6\uff0c\u90ae\u4ef6\u8fc7\u6ee4\u7b5b\u9009\u7b49\u529f\u80fd\u3002\r\n\r\nMicrosoft Exchange Server\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u5206\u6790\u7535\u5b50\u90ae\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u53d1\u73b0Microsoft Outlook\u5e94\u7528\u7a0b\u5e8f\u4e2d\u6240\u5305\u542b\u7684\u673a\u5bc6\u7528\u6237\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Exchange Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2016-07584\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Microsoft Exchange Server 2007 SP3",
      "Microsoft Exchange Server 2013 SP1\uff0cUpdate 8",
      "Microsoft Exchange Server 2013 Cumulative Update 12",
      "Microsoft Exchange Server 2013 Cumulative Update 13",
      "Microsoft Exchange Server 2016 Cumulative Update 1",
      "Microsoft Exchange Server 2016 Cumulative Update 2",
      "Microsoft Exchange Server 2010 SP3"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/92806",
  "serverity": "\u4e2d",
  "submitTime": "2016-09-14",
  "title": "Microsoft Exchange Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2016-07584\uff09"
}

CVE-2016-0138 (GCVE-0-2016-0138)

Vulnerability from cvelistv5 – Published: 2016-09-14 10:00 – Updated: 2024-08-05 22:08

Summary

Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumulative Update 2 misparses e-mail messages, which allows remote authenticated users to obtain sensitive Outlook application information by leveraging the Send As right, aka "Microsoft Exchange Information Disclosure Vulnerability."

Severity ?

No CVSS data available.

CWE

Assigner

microsoft

References

URL

Tags

	https://docs.microsoft.com/en-us/security-updates…	vendor-advisoryx_refsource_MS
	http://www.securitytracker.com/id/1036778	vdb-entryx_refsource_SECTRACK
	http://www.securityfocus.com/bid/92806	vdb-entryx_refsource_BID

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:08:13.322Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "MS16-108",
            "tags": [
              "vendor-advisory",
              "x_refsource_MS",
              "x_transferred"
            ],
            "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-108"
          },
          {
            "name": "1036778",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1036778"
          },
          {
            "name": "92806",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/92806"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-09-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumulative Update 2 misparses e-mail messages, which allows remote authenticated users to obtain sensitive Outlook application information by leveraging the Send As right, aka \"Microsoft Exchange Information Disclosure Vulnerability.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-12T19:57:01",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "MS16-108",
          "tags": [
            "vendor-advisory",
            "x_refsource_MS"
          ],
          "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-108"
        },
        {
          "name": "1036778",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1036778"
        },
        {
          "name": "92806",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/92806"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2016-0138",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumulative Update 2 misparses e-mail messages, which allows remote authenticated users to obtain sensitive Outlook application information by leveraging the Send As right, aka \"Microsoft Exchange Information Disclosure Vulnerability.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "MS16-108",
              "refsource": "MS",
              "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-108"
            },
            {
              "name": "1036778",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1036778"
            },
            {
              "name": "92806",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/92806"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2016-0138",
    "datePublished": "2016-09-14T10:00:00",
    "dateReserved": "2015-12-04T00:00:00",
    "dateUpdated": "2024-08-05T22:08:13.322Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2016-07584

CVE-2016-0138 (GCVE-0-2016-0138)

Tags

Sightings

Nomenclature