CVE-2016-6189 - OpenCVE

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Alinto	Sogo

Configuration 1 [-]

OR	cpe:2.3:a:alinto:sogo::::::::
	cpe:2.3:a:alinto:sogo::::::::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2016/07/09/3
https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225
https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d
https://sogo.nu/bugs/view.php?id=3695

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-02-17T17:00:00

Updated: 2024-08-06T01:22:20.752Z

Reserved: 2016-07-09T00:00:00

Link: CVE-2016-6189

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-02-17T17:59:00.797

Modified: 2022-12-20T16:52:37.880

Link: CVE-2016-6189

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-07-04T00:00:00", "descriptions": [{"lang": "en", "value": "Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-17T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"name": "[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://sogo.nu/bugs/view.php?id=3695"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-6189", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d", "refsource": "CONFIRM", "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"name": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225", "refsource": "CONFIRM", "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"name": "[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"name": "https://sogo.nu/bugs/view.php?id=3695", "refsource": "CONFIRM", "url": "https://sogo.nu/bugs/view.php?id=3695"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:22:20.752Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"name": "[oss-security] 20160709 Re: CVE request: several SOGo issues (DOS, XSS, information leakage)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://sogo.nu/bugs/view.php?id=3695"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-6189", "datePublished": "2017-02-17T17:00:00", "dateReserved": "2016-07-09T00:00:00", "dateUpdated": "2024-08-06T01:22:20.752Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D75E49A-4A29-46E4-82AF-2AF4CA019014", "versionEndExcluding": "2.3.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C9075E1-13A1-42BC-8141-8981BD1B3640", "versionEndExcluding": "3.1.1", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds."}, {"lang": "es", "value": "Blacklist incompleta en SOGo en versiones anteriores a 2.3.12 y 3.x en versiones anteriores a 3.1.1 permite a usuarios remotos autenticados obtener informaci\u00f3n sensible leyendo los campos en la fuente (1) ics o (2) de calendario XML."}], "id": "CVE-2016-6189", "lastModified": "2022-12-20T16:52:37.880", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-17T17:59:00.797", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "VDB Entry"], "url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://sogo.nu/bugs/view.php?id=3695"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}], "source": "nvd@nist.gov", "type": "Primary"}]}