CVE-2020-16969

Summary

<p>An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.</p> <p>To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.</p> <p>The security update corrects the way that Exchange handles these token validations.</p>

Affected Software

VendorProductVersion RangeStatus
MicrosoftMicrosoft Exchange Server 2019 Cumulative Update 615.02.0 < publicationaffected
MicrosoftMicrosoft Exchange Server 2016 Cumulative Update 1715.01.0 < publicationaffected
MicrosoftMicrosoft Exchange Server 2019 Cumulative Update 715.02.0 < publicationaffected
MicrosoftMicrosoft Exchange Server 2016 Cumulative Update 1815.01.0 < publicationaffected
MicrosoftMicrosoft Exchange Server 2013 Cumulative Update 2315.00.0 < publicationaffected

Weaknesses

  • Information Disclosure

ADP Enrichment

CVE Program Container

Additional References

References