CVE-2016-6189 - OpenCVE

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Alinto	Sogo

Configuration 1 [-]

OR	cpe:2.3:a:alinto:sogo::::::::
	cpe:2.3:a:alinto:sogo::::::::

References

Link	Resource
http://www.openwall.com/lists/oss-security/2016/07/09/3	Mailing List VDB Entry
https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225	Patch
https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d	Patch
https://sogo.nu/bugs/view.php?id=3695	Exploit Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-02-17T17:00:00

Updated: 2017-02-17T16:57:01

Reserved: 2016-07-09T00:00:00

Link: CVE-2016-6189

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-02-17T17:59:00.797

Modified: 2022-12-20T16:52:37.880

Link: CVE-2016-6189

JSON object: View

Redhat Information

No data.

CWE

CWE-184

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-07-04T00:00:00", "descriptions": [{"lang": "en", "value": "Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-17T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"name": "[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://sogo.nu/bugs/view.php?id=3695"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-6189", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d", "refsource": "CONFIRM", "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"name": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225", "refsource": "CONFIRM", "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"name": "[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"name": "https://sogo.nu/bugs/view.php?id=3695", "refsource": "CONFIRM", "url": "https://sogo.nu/bugs/view.php?id=3695"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-6189", "datePublished": "2017-02-17T17:00:00", "dateReserved": "2016-07-09T00:00:00", "dateUpdated": "2017-02-17T16:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D75E49A-4A29-46E4-82AF-2AF4CA019014", "versionEndExcluding": "2.3.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C9075E1-13A1-42BC-8141-8981BD1B3640", "versionEndExcluding": "3.1.1", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}, {"lang": "es", "value": "Blacklist incompleta en SOGo en versiones anteriores a 2.3.12 y 3.x en versiones anteriores a 3.1.1 permite a usuarios remotos autenticados obtener informaci\u00f3n sensible leyendo los campos en la fuente (1) ics o (2) de calendario XML."}], "id": "CVE-2016-6189", "lastModified": "2022-12-20T16:52:37.880", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-17T17:59:00.797", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "VDB Entry"], "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://sogo.nu/bugs/view.php?id=3695"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}], "source": "nvd@nist.gov", "type": "Primary"}]}