CVE-2021-33766
Microsoft Exchange Server Information Disclosure Vulnerability
In short
A security flaw in Microsoft Exchange Server allows attackers to read sensitive information like emails and calendar data without proper authentication. This happens through a weakness in how the server handles certain requests.
Technical detail
This vulnerability permits unauthenticated attackers to disclose sensitive information stored on Exchange Server instances through an improper input validation flaw in the server's request handling mechanism. The attack requires network access to the affected Exchange service and can result in unauthorized access to mailbox contents, calendar data, and other confidential information without requiring valid credentials.
Summary generated and translated by AI from the official description.
Microsoft Exchange Server Information Disclosure Vulnerability
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C
Affected products
Microsoft · Microsoft Exchange Server 2013 Cumulative Update 23Microsoft · Microsoft Exchange Server 2016 Cumulative Update 19Microsoft · Microsoft Exchange Server 2016 Cumulative Update 20Microsoft · Microsoft Exchange Server 2019 Cumulative Update 8Microsoft · Microsoft Exchange Server 2019 Cumulative Update 9public PoCs found — 2
githubgithub.com/bhdresh/CVE-2021-33766★ 48githubgithub.com/demossl/CVE-2021-33766-ProxyToken★ 10⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →