CVE-2022-24463: Microsoft Exchange Server Spoofing Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Mar

Released

2022-03-08

EPSS Score

11.77% (percentile: 93.7%)

FAQ

According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server? Yes, the attacker must be authenticated. What is the nature of the spoofing? An authenticated attacker could make a specially crafted network call to the target Exchange Server that causes the parsing of an http request made to an attacker-controlled server. This could lead to the disclosure of files from the target Exchange Server. What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is file content.

Affected Products (4)

Server Software

• Microsoft Exchange Server 2016 Cumulative Update 21
• Microsoft Exchange Server 2019 Cumulative Update 10
• Microsoft Exchange Server 2016 Cumulative Update 22
• Microsoft Exchange Server 2019 Cumulative Update 11

Security Updates (4)

• 5012698
• 5012698
• 5012698
• 5012698

Acknowledgments

<a href="https://twitter.com/securiteam_ssd">Anonymous</a> with <a href="https://ssd-disclosure.com/">SSD Secure Disclosure</a>

Revision History

• 2022-03-08: Information published.