Описание
Microsoft Exchange Information Disclosure Vulnerability
An input sanitization issue exists with Microsoft Exchange that could potentially result in unintended Information Disclosure. An attacker who successfully exploited the vulnerability could identify the existence of RFC1918 addresses on the local network from a client on the Internet. An attacker could use this internal host information as part of a larger attack.
To exploit the vulnerability, an attacker could include specially crafted tags in Calendar-related messages sent to an Exchange server. These specially-tagged messages could prompt the Exchange server to fetch information from internal servers. By observing telemetry from these requests, a client could discern properties of internal hosts intended to be hidden from the Internet.
The update corrects the way that Exchange parses Calendar-related messages.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Exchange Server 2013 Cumulative Update 17 | ||
| Microsoft Exchange Server 2016 Cumulative Update 6 | ||
| Microsoft Exchange Server 2016 Cumulative Update 7 | ||
| Microsoft Exchange Server 2013 Cumulative Update 18 |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
EPSS
Связанные уязвимости
Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016 allow an input sanitization issue with Microsoft Exchange that could potentially result in unintended Information Disclosure, aka "Microsoft Exchange Information Disclosure Vulnerability"
Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016 allow an input sanitization issue with Microsoft Exchange that could potentially result in unintended Information Disclosure, aka "Microsoft Exchange Information Disclosure Vulnerability"
EPSS