Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-1084

An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients., aka 'Microsoft Exchange Information Disclosure Vulnerability'.

Published

2019-07-15T19:15:17.873

Last Modified

2024-11-21T04:35:59.043

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	microsoft	exchange_server	2010	Yes
Application	microsoft	exchange_server	2013	Yes
Application	microsoft	exchange_server	2016	Yes
Application	microsoft	exchange_server	2016	Yes
Application	microsoft	exchange_server	2016	Yes
Application	microsoft	exchange_server	2016	Yes
Application	microsoft	lync	2013	Yes
Application	microsoft	lync_basic	2013	Yes
Application	microsoft	mail_and_calendar	-	Yes
Application	microsoft	office	2010	Yes
Application	microsoft	office	2013	Yes
Application	microsoft	office	2016	Yes
Application	microsoft	office	2016	Yes
Application	microsoft	office	2019	Yes
Application	microsoft	office	2019	Yes
Application	microsoft	office_365_proplus	-	Yes
Application	microsoft	outlook	-	Yes
Application	microsoft	outlook	2013	Yes
Application	microsoft	outlook	2016	Yes
Application	microsoft	outlook	2016	Yes
Application	microsoft	skype_for_business	2016	Yes
Application	microsoft	skype_for_business_basic	2016	Yes

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1084 Patch, Vendor Advisory ([email protected])
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1084 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)