SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2016/07/09/3 | Mailing List VDB Entry |
https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225 | Patch |
https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d | Patch |
https://sogo.nu/bugs/view.php?id=3696 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-02-17T17:00:00
Updated: 2017-02-17T16:57:01
Reserved: 2016-07-09T00:00:00
Link: CVE-2016-6190
JSON object: View
NVD Information
Status : Analyzed
Published: 2017-02-17T17:59:00.843
Modified: 2017-02-22T18:00:48.267
Link: CVE-2016-6190
JSON object: View
Redhat Information
No data.
CWE