Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2019-1084

Disclosure Date: July 15, 2019
CVE-2019-1084 CVSS v3 Base Score: 6.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients., aka ‘Microsoft Exchange Information Disclosure Vulnerability’.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Microsoft Exchange Server 2010 Service Pack 3
Microsoft Outlook 2010 Service Pack 2 (32-bit editions)
Microsoft Outlook 2010 Service Pack 2 (64-bit editions)
Microsoft Outlook 2016 (32-bit edition)
Microsoft Outlook 2016 (64-bit edition)
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2016 for Mac
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Lync 2013 Service Pack 1 (32-bit)
Microsoft Lync 2013 Service Pack 1 (64-bit)
Microsoft Lync Basic 2013 Service Pack 1 (32-bit)
Microsoft Lync Basic 2013 Service Pack 1 (64-bit)
Microsoft Outlook for Android
Skype for Business 2016 (32-bit)
Skype for Business 2016 (64-bit)
Skype for Business Basic 2016 (32-bit)
Skype for Business Basic 2016 (64-bit)
Office 365 ProPlus 32-bit Systems
Office 365 ProPlus 64-bit Systems
Microsoft Exchange Server 2016 Cumulative Update 12
Microsoft Exchange Server 2016 Cumulative Update 13
Microsoft Exchange Server 2019 Cumulative Update 1
Microsoft Exchange Server 2019 Cumulative Update 2
Microsoft Exchange Server 2013 Cumulative Update 23
Mail and Calendar
Outlook for iOS
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • exchange server 2010,
  • exchange server 2013,
  • exchange server 2016,
  • lync 2013,
  • lync basic 2013,
  • mail and calendar -,
  • office 2010,
  • office 2013,
  • office 2016,
  • office 2019,
  • office 365 proplus -,
  • outlook -,
  • outlook 2013,
  • outlook 2016,
  • skype for business 2016,
  • skype for business basic 2016

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis