CVE-2016-0138
published 2016-09-14CVE-2016-0138: Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumulative…
PriorityP428medium4.3CVSS 3.0
AVNACLPRLUINSUCLINAN
EPSS
13.46%
96.0th percentile
Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumulative Update 2 misparses e-mail messages, which allows remote authenticated users to obtain sensitive Outlook application information by leveraging the Send As right, aka "Microsoft Exchange Information Disclosure Vulnerability."
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| msrc | microsoft_exchange_server_2007_service_pack_3 | — | — |
| msrc | microsoft_exchange_server_2010_service_pack_3 | — | — |
| msrc | microsoft_exchange_server_2013_cumulative_update_12 | — | — |
| msrc | microsoft_exchange_server_2013_cumulative_update_13 | — | — |
| msrc | microsoft_exchange_server_2013_service_pack_1 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_1 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_2 | — | — |
CVSS provenance
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_msrc4.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rcqp-7hhj-rfxj: Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumul
ghsa_unreviewed·2022-05-14
CVE-2016-0138 [MEDIUM] CWE-200 GHSA-rcqp-7hhj-rfxj: Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumul
Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumulative Update 2 misparses e-mail messages, which allows remote authenticated users to obtain sensitive Outlook application information by leveraging the Send As right, aka "Microsoft Exchange Information Disclosure Vulnerability."
Microsoft
Microsoft Outlook Information Disclosure Vulnerability
vendor_msrc·2016-09-13·CVSS 4.3
CVE-2016-0138 [MEDIUM] Microsoft Outlook Information Disclosure Vulnerability
Microsoft Outlook Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in the way that Microsoft Exchange Server parses email messages. The vulnerability could allow an attacker to discover confidential user information that is contained in Microsoft Outlook applications.
To exploit the vulnerability, an attacker could use "send as" rights to send a specially crafted message to a user.
The security update addresses the vulnerability by correcting how Microsoft Exchange parses certain unstructured file formats.
Microsoft Exchange Server: Microsoft Exchange Server
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Information Disclosure
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Unlikely;Ol
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/92806http://www.securitytracker.com/id/1036778https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-108http://www.securityfocus.com/bid/92806http://www.securitytracker.com/id/1036778https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-108
2016-09-14
Published