cnvd - cnvd-2022-89608

CNVD-2022-89608

Vulnerability from cnvd - Published: 2022-12-23

Title

Microsoft Exchange Server权限提升漏洞（CNVD-2022-89608）

Description

Microsoft Exchange Server是美国微软（Microsoft）公司的一套电子邮件服务程序。它提供邮件存取、储存、转发，语音邮件，邮件过滤筛选等功能。 Microsoft Exchange Server存在权限提升漏洞。攻击者可利用该漏洞提升权限。

Severity

高

Patch Name

Microsoft Exchange Server权限提升漏洞（CNVD-2022-89608）的补丁

Patch Description

Microsoft Exchange Server是美国微软（Microsoft）公司的一套电子邮件服务程序。它提供邮件存取、储存、转发，语音邮件，邮件过滤筛选等功能。 Microsoft Exchange Server存在权限提升漏洞。攻击者可利用该漏洞提升权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41080

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-41080

Impacted products

Name
['Microsoft Exchange Server 2013 Cumulative Update 23', 'Microsoft Exchange Server 2019 Cumulative Update 11', 'Microsoft Exchange Server 2016 Cumulative Update 22', 'Microsoft Exchange Server 2019 Cumulative Update 12', 'Microsoft Exchange Server 2016 Cumulative Update 23']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-41080",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-41080"
    }
  },
  "description": "Microsoft Exchange Server\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957\u7535\u5b50\u90ae\u4ef6\u670d\u52a1\u7a0b\u5e8f\u3002\u5b83\u63d0\u4f9b\u90ae\u4ef6\u5b58\u53d6\u3001\u50a8\u5b58\u3001\u8f6c\u53d1\uff0c\u8bed\u97f3\u90ae\u4ef6\uff0c\u90ae\u4ef6\u8fc7\u6ee4\u7b5b\u9009\u7b49\u529f\u80fd\u3002\n\nMicrosoft Exchange Server\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41080",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-89608",
  "openTime": "2022-12-23",
  "patchDescription": "Microsoft Exchange Server\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957\u7535\u5b50\u90ae\u4ef6\u670d\u52a1\u7a0b\u5e8f\u3002\u5b83\u63d0\u4f9b\u90ae\u4ef6\u5b58\u53d6\u3001\u50a8\u5b58\u3001\u8f6c\u53d1\uff0c\u8bed\u97f3\u90ae\u4ef6\uff0c\u90ae\u4ef6\u8fc7\u6ee4\u7b5b\u9009\u7b49\u529f\u80fd\u3002\r\n\r\nMicrosoft Exchange Server\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Exchange Server\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff08CNVD-2022-89608\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Microsoft Exchange Server 2013 Cumulative Update 23",
      "Microsoft Exchange Server 2019 Cumulative Update 11",
      "Microsoft Exchange Server 2016 Cumulative Update 22",
      "Microsoft Exchange Server 2019 Cumulative Update 12",
      "Microsoft Exchange Server 2016 Cumulative Update 23"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-41080",
  "serverity": "\u9ad8",
  "submitTime": "2022-11-10",
  "title": "Microsoft Exchange Server\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff08CNVD-2022-89608\uff09"
}

CVE-2022-41080 (GCVE-0-2022-41080)

Vulnerability from cvelistv5 – Published: 2022-11-09 00:00 – Updated: 2025-10-21 23:15

Summary

Microsoft Exchange Server Elevation of Privilege Vulnerability

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

Elevation of Privilege

Assigner

microsoft

References

URL

Tags

https://msrc.microsoft.com/update-guide/vulnerabi…

vendor-advisory

Impacted products

Vendor

Product

Version

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 23

Affected: 15.01.0 , < 15.01.2507.016 (custom)

Microsoft	Microsoft Exchange Server 2019 Cumulative Update 12	Affected: 15.02.0 , < 15.02.1118.020 (custom)
Microsoft	Microsoft Exchange Server 2013 Cumulative Update 23	Affected: 15.00.0 , < 15.00.1497.044 (custom)
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 11	Affected: 15.02.0 , < 15.02.0986.036 (custom)
Microsoft	Microsoft Exchange Server 2016 Cumulative Update 22	Affected: 15.0.0 , < 15.01.2375.037 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:35:48.787Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "Microsoft Exchange Server Elevation of Privilege Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41080"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-41080",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2023-12-22T05:00:58.328537Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2023-01-10",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41080"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:31.953Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41080"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2023-01-10T00:00:00+00:00",
            "value": "CVE-2022-41080 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2507.016",
              "status": "affected",
              "version": "15.01.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 12",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1118.020",
              "status": "affected",
              "version": "15.02.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2013 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.00.1497.044",
              "status": "affected",
              "version": "15.00.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 11",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.0986.036",
              "status": "affected",
              "version": "15.02.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 22",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2375.037",
              "status": "affected",
              "version": "15.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2507.016",
                  "versionStartIncluding": "15.01.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_12:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1118.020",
                  "versionStartIncluding": "15.02.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.00.1497.044",
                  "versionStartIncluding": "15.00.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_11:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.0986.036",
                  "versionStartIncluding": "15.02.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_22:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2375.037",
                  "versionStartIncluding": "15.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2022-11-08T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Elevation of Privilege",
              "lang": "en-US",
              "type": "Impact"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-02T21:31:28.814Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Exchange Server Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41080"
        }
      ],
      "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2022-41080",
    "datePublished": "2022-11-09T00:00:00.000Z",
    "dateReserved": "2022-09-19T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:31.953Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-89608

CVE-2022-41080 (GCVE-0-2022-41080)

Tags

Sightings

Nomenclature