CVE-2019-1084

CWE-200Information Exposure4 documents4 sources
Severity
6.5MEDIUM
EPSS
9.0%
top 7.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
19
Microsoft Mail AND CalendarMicrosoft Microsoft Exchange ServerMicrosoft Microsoft Exchange Server 2013+16 more
Timeline
PublishedJul 15
Latest updateMay 24

Description

An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients., aka 'Micros

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages20 packages

NVDmicrosoft/exchange_server2010, 2013, 2016+2
CVEListV5microsoft/microsoft_exchange_server2010 Service Pack 3
CVEListV5microsoft/microsoft_exchange_server_2013Cumulative Update 23
CVEListV5microsoft/microsoft_exchange_server_2016Cumulative Update 12, Cumulative Update 13+1
CVEListV5microsoft/microsoft_exchange_server_2019Cumulative Update 1, Cumulative Update 2+1

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

2
GHSA
GHSA-r2c7-qvrq-pwg6: An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters2022-05-24
CVEList
CVE-2019-1084: An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters2019-07-15

📋Vendor Advisories

1
Microsoft
Microsoft Exchange Information Disclosure Vulnerability2019-07-09