CVE-2016-0138 — Sensitive Information Exposure in Microsoft Exchange Server

CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

14.0%

top 5.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Exchange Server

Timeline

PublishedSep 14

Latest updateMay 14

Description

Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumulative Update 2 misparses e-mail messages, which allows remote authenticated users to obtain sensitive Outlook application information by leveraging the Send As right, aka "Microsoft Exchange Information Disclosure Vulnerability."

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDmicrosoft/exchange_server4 versions+3

🔴Vulnerability Details

GHSA

GHSA-rcqp-7hhj-rfxj: Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumul↗2022-05-14

▶

CVEList

CVE-2016-0138: Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumul↗2016-09-14

▶

📋Vendor Advisories

Microsoft

Microsoft Outlook Information Disclosure Vulnerability↗2016-09-13

▶

💬Community

Bugzilla

CVE-2016-2370 pidgin: MXIT Custom Resource Denial of Service Vulnerability↗2016-06-22

▶