CVE-2019-1084

Summary

An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients., aka 'Microsoft Exchange Information Disclosure Vulnerability'.

Affected Software

VendorProductVersion RangeStatus
MicrosoftMicrosoft Exchange Server2010 Service Pack 3affected
MicrosoftMicrosoft Outlook2010 Service Pack 2 (32-bit editions)affected
MicrosoftMicrosoft Outlook2010 Service Pack 2 (64-bit editions)affected
MicrosoftMicrosoft Outlook2016 (32-bit edition)affected
MicrosoftMicrosoft Outlook2016 (64-bit edition)affected
MicrosoftMicrosoft Outlook2013 Service Pack 1 (32-bit editions)affected
MicrosoftMicrosoft Outlook2013 Service Pack 1 (64-bit editions)affected
MicrosoftMicrosoft Office2013 Service Pack 1 (32-bit editions)affected
MicrosoftMicrosoft Office2013 Service Pack 1 (64-bit editions)affected
MicrosoftMicrosoft Office2013 RT Service Pack 1affected
MicrosoftMicrosoft Office2016 for Macaffected
MicrosoftMicrosoft Office2016 (32-bit edition)affected
MicrosoftMicrosoft Office2016 (64-bit edition)affected
MicrosoftMicrosoft Office2019 for 32-bit editionsaffected
MicrosoftMicrosoft Office2019 for 64-bit editionsaffected
MicrosoftMicrosoft Office2019 for Macaffected
MicrosoftMicrosoft Lync2013 Service Pack 1 (32-bit)affected
MicrosoftMicrosoft Lync2013 Service Pack 1 (64-bit)affected
MicrosoftMicrosoft Lync Basic2013 Service Pack 1 (32-bit)affected
MicrosoftMicrosoft Lync Basic2013 Service Pack 1 (64-bit)affected
MicrosoftMicrosoft Outlook for Androidunspecifiedaffected
MicrosoftSkype for Business2016 (32-bit)affected
MicrosoftSkype for Business2016 (64-bit)affected
MicrosoftSkype for Business Basic2016 (32-bit)affected
MicrosoftSkype for Business Basic2016 (64-bit)affected
MicrosoftOffice 365 ProPlus32-bit Systemsaffected
MicrosoftOffice 365 ProPlus64-bit Systemsaffected
MicrosoftMicrosoft Exchange Server 2016Cumulative Update 12affected
MicrosoftMicrosoft Exchange Server 2016Cumulative Update 13affected
MicrosoftMicrosoft Exchange Server 2019Cumulative Update 1affected
MicrosoftMicrosoft Exchange Server 2019Cumulative Update 2affected
MicrosoftMicrosoft Exchange Server 2013Cumulative Update 23affected
MicrosoftMail and Calendarunspecifiedaffected
MicrosoftOutlook for iOSunspecifiedaffected

Weaknesses

  • Information Disclosure

ADP Enrichment

CVE Program Container

Additional References

References