CVE-2019-0588 : An information disclosure vulnerability exists when the Microsoft Exchange Power

An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended, aka "Microsoft Exchange Information Disclosure Vulnerability." This affects Microsoft Exchange Server.

Published 2019-01-08 21:29:02

Updated 2020-08-24 17:37:01

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2019-0588

Microsoft » Exchange Server » Version: 2013 Update Cumulative Update 21
cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21:*:*:*:*:*:*
Matching versions
Microsoft » Exchange Server » Version: 2016 Update Cumulative Update 10
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
Matching versions
Microsoft » Exchange Server » Version: 2016 Update Cumulative Update 11
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
Matching versions
Microsoft » Exchange Server » Version: 2019
cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
Matching versions
Microsoft » Exchange Server » Version: 2010 Update Sp3 Rollup25
cpe:2.3:a:microsoft:exchange_server:2010:sp3_rollup25:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2019-0588

Top countries where our scanners detected CVE-2019-0588

Top open port discovered on systems with this issue 10001

IPs affected by CVE-2019-0588 7,551

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2019-0588!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2019-0588

EPSS FAQ

3.69%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 87 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-0588

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2019-0588

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-0588

http://www.securityfocus.com/bid/106437

Microsoft Exchange Server CVE-2019-0588 Information Disclosure Vulnerability
Third Party Advisory;VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0588

CVE-2019-0588 | Microsoft Exchange Information Disclosure Vulnerability
Patch;Vendor Advisory