CVE-2016-6190
Published on: 02/17/2017 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:27:11 PM UTC
Certain versions of Sogo from Inverse-inc contain the following vulnerability:
SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users.
- CVE-2016-6190 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.
CVSS3 Score: 4.3 - MEDIUM
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | LOW | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | LOW | NONE | NONE |
CVSS2 Score: 4 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | SINGLE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | NONE | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
(fix) improved previous commit for attributes stripping and UID gener… · inverse-inc/sogo@717f45f · GitHub | Patch github.com text/html | CONFIRM github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225 |
(fix) improved previous commit for attributes stripping and UID gener… · inverse-inc/sogo@875a4ac · GitHub | Patch github.com text/html | CONFIRM github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d |
0003696: Meta information can be derived from UID/DTSTAMP attributes though "View the Date & Time" restricted access - SOGo | BTS | Vendor Advisory sogo.nu text/html | CONFIRM sogo.nu/bugs/view.php?id=3696 |
oss-security - Re: CVE request: several SOGo issues (DOS, XSS, information leakage) | Mailing List VDB Entry www.openwall.com text/html | MLIST [oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage) |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Inverse-inc | Sogo | 3.0.0 | All | All | All |
Application | Inverse-inc | Sogo | 3.0.0 | beta_1 | All | All |
Application | Inverse-inc | Sogo | 3.0.0 | beta_2 | All | All |
Application | Inverse-inc | Sogo | 3.0.0 | beta_3 | All | All |
Application | Inverse-inc | Sogo | 3.0.0 | beta_4 | All | All |
Application | Inverse-inc | Sogo | 3.0.0 | beta_5 | All | All |
Application | Inverse-inc | Sogo | 3.0.1 | All | All | All |
Application | Inverse-inc | Sogo | 3.0.2 | All | All | All |
Application | Inverse-inc | Sogo | 3.1.0 | All | All | All |
Application | Inverse-inc | Sogo | 3.0.0 | All | All | All |
Application | Inverse-inc | Sogo | 3.0.0 | beta_1 | All | All |
Application | Inverse-inc | Sogo | 3.0.0 | beta_2 | All | All |
Application | Inverse-inc | Sogo | 3.0.0 | beta_3 | All | All |
Application | Inverse-inc | Sogo | 3.0.0 | beta_4 | All | All |
Application | Inverse-inc | Sogo | 3.0.0 | beta_5 | All | All |
Application | Inverse-inc | Sogo | 3.0.1 | All | All | All |
Application | Inverse-inc | Sogo | 3.0.2 | All | All | All |
Application | Inverse-inc | Sogo | 3.1.0 | All | All | All |
Application | Inverse-inc | Sogo | All | All | All | All |
- cpe:2.3:a:inverse-inc:sogo:3.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.0:beta_1:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.0:beta_2:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.0:beta_3:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.0:beta_4:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.0:beta_5:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.1:*:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.2:*:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.1.0:*:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.0:beta_1:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.0:beta_2:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.0:beta_3:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.0:beta_4:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.0:beta_5:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.1:*:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.0.2:*:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:3.1.0:*:*:*:*:*:*:*:
- cpe:2.3:a:inverse-inc:sogo:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE