Vulnerability-Lookup

CVE-2021-33768 (GCVE-0-2021-33768)

Vulnerability from cvelistv5 – Published: 2021-07-14 17:53 – Updated: 2024-08-03 23:58

Title

Microsoft Exchange Server Elevation of Privilege Vulnerability

Summary

Microsoft Exchange Server Elevation of Privilege Vulnerability

Severity

8 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

Elevation of Privilege

Assigner

microsoft

References

1 reference

URL	Tags
https://portal.msrc.microsoft.com/en-US/security-…	x_refsource_MISC

Impacted products

4 products

Vendor	Product	Version
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 9	Affected: 15.02.0 , < 15.02.0858.015 (custom) cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9::::::
Microsoft	Microsoft Exchange Server 2016 Cumulative Update 20	Affected: 15.01.0 , < 15.01.2242.012 (custom) cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20::::::
Microsoft	Microsoft Exchange Server 2016 Cumulative Update 21	Affected: 15.01.0 , < 15.01.2308.014 (custom) cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21::::::
Microsoft	Microsoft Exchange Server 2019 Cumulative Update 10	Affected: 15.02.0 , < 15.02.0922.013 (custom) cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10::::::

Date Public

2021-07-13 07:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:58:22.872Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*"
          ],
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 9",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.0858.015",
              "status": "affected",
              "version": "15.02.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*"
          ],
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 20",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2242.012",
              "status": "affected",
              "version": "15.01.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*"
          ],
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 21",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2308.014",
              "status": "affected",
              "version": "15.01.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*"
          ],
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 10",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.0922.013",
              "status": "affected",
              "version": "15.02.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-07-13T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Elevation of Privilege",
              "lang": "en-US",
              "type": "Impact"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-28T22:36:53.445Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768"
        }
      ],
      "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2021-33768",
    "datePublished": "2021-07-14T17:53:42.000Z",
    "dateReserved": "2021-05-28T00:00:00.000Z",
    "dateUpdated": "2024-08-03T23:58:22.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-33768",
      "date": "2026-06-06",
      "epss": "0.00238",
      "percentile": "0.47067"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-33768\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2021-07-14T18:15:10.450\",\"lastModified\":\"2024-11-21T06:09:32.717\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Microsoft Exchange Server Elevation of Privilege Vulnerability\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de Elevaci\u00f3n de Privilegios en Microsoft Exchange Server. Este ID de CVE es diferente de CVE-2021-34470, CVE-2021-34523\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":5.2,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":5.1,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*\",\"matchCriteriaId\":\"19C1EE0C-B8DD-4B91-BE4B-1C42D72FB718\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*\",\"matchCriteriaId\":\"3BE427A4-B0C2-4064-8234-29426325C348\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4185347-EEDD-4239-9AB3-410E2EC89D2A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*\",\"matchCriteriaId\":\"71CDF29B-116B-4DE2-AFD0-B62477FF0AEB\"}]}]}],\"references\":[{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}

BDU:2022-00600

Vulnerability from fstec - Published: 13.07.2021

Title

Уязвимость почтового сервера Microsoft Exchange Server, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии

Description

Уязвимость почтового сервера Microsoft Exchange Server связана с недостатками разграничения доступа. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, повысить свои привилегии

Severity


                    
                      AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor

Microsoft Corp

Software Name

Microsoft Exchange Server

Software Version

2019 Cumulative Update 9 (Microsoft Exchange Server), 2016 Cumulative Update 20 (Microsoft Exchange Server), 2019 Cumulative Update 10 (Microsoft Exchange Server), 2016 Cumulative Update 21 (Microsoft Exchange Server)

Possible Mitigations

Использование рекомендаций производителя: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-33768 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768 https://www.cybersecurity-help.cz/vdb/SB2021071319

CWE

CWE-264, CWE-269

JSON

To clipboard

{
  "CVSS 2.0": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
  "CVSS 3.0": "AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Microsoft Corp",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "2019 Cumulative Update 9 (Microsoft Exchange Server), 2016 Cumulative Update 20 (Microsoft Exchange Server), 2019 Cumulative Update 10 (Microsoft Exchange Server), 2016 Cumulative Update 21 (Microsoft Exchange Server)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "13.07.2021",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "15.04.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.02.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-00600",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2021-33768",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Microsoft Exchange Server",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0447\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430 Microsoft Exchange Server, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u0440\u0430\u0437\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u044f, \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c (CWE-264), \u041d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0435 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u044f\u043c\u0438 (CWE-269)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0447\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430 Microsoft Exchange Server \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u0440\u0430\u0437\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://nvd.nist.gov/vuln/detail/CVE-2021-33768\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768\nhttps://www.cybersecurity-help.cz/vdb/SB2021071319",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-264, CWE-269",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,7)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8)"
}

CERTFR-2021-AVI-522

Vulnerability from certfr_avis - Published: 2021-07-15 - Updated: 2021-07-15

De multiples vulnérabilités ont été corrigées dans les produits Microsoft. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une usurpation d'identité, une exécution de code à distance, un contournement de la fonctionnalité de sécurité et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft	N/A	Microsoft Dynamics 365 Business Central 2021 Release Wave 1 - Update 18.3
Microsoft	N/A	Microsoft Exchange Server 2016 Cumulative Update 21
Microsoft	N/A	Microsoft Exchange Server 2016 Cumulative Update 19
Microsoft	N/A	HEVC Video Extensions
Microsoft	N/A	Microsoft Exchange Server 2019 Cumulative Update 8
Microsoft	N/A	Microsoft Malware Protection Engine
Microsoft	N/A	Power BI Report Server
Microsoft	N/A	Visual Studio Code
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour systèmes 32 bits
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour 64 bits Systems
Microsoft	N/A	Microsoft Exchange Server 2019 Cumulative Update 10
Microsoft	N/A	Microsoft Dynamics 365 Business Central 2020 Release Wave 1 - Update 16.14
Microsoft	N/A	Microsoft Exchange Server 2016 Cumulative Update 20
Microsoft	N/A	Microsoft Bing Search pour Android
Microsoft	N/A	Microsoft Exchange Server 2019 Cumulative Update 9
Microsoft	N/A	Microsoft Dynamics 365 Business Central 2020 Release Wave 2 - Update 17.8
Microsoft	N/A	Open Enclave SDK

References

Title

Publication Time

FKIE_CVE-2021-33768

Vulnerability from fkie_nvd - Published: 2021-07-14 18:15 - Updated: 2024-11-21 06:09

Severity

8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Microsoft Exchange Server Elevation of Privilege Vulnerability

References

	URL	Tags
	secure@microsoft.com	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768	Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
microsoft	exchange_server	2016
microsoft	exchange_server	2016
microsoft	exchange_server	2019
microsoft	exchange_server	2019

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*",
              "matchCriteriaId": "19C1EE0C-B8DD-4B91-BE4B-1C42D72FB718",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*",
              "matchCriteriaId": "3BE427A4-B0C2-4064-8234-29426325C348",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*",
              "matchCriteriaId": "B4185347-EEDD-4239-9AB3-410E2EC89D2A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*",
              "matchCriteriaId": "71CDF29B-116B-4DE2-AFD0-B62477FF0AEB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de Elevaci\u00f3n de Privilegios en Microsoft Exchange Server. Este ID de CVE es diferente de CVE-2021-34470, CVE-2021-34523"
    }
  ],
  "id": "CVE-2021-33768",
  "lastModified": "2024-11-21T06:09:32.717",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "ADJACENT_NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.2,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 5.1,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 5.9,
        "source": "secure@microsoft.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2021-07-14T18:15:10.450",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-79W4-597W-FXXX

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07

Details

Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-34470, CVE-2021-34523.

Severity

8.0 (High)


                  
                    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-33768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-14T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-34470, CVE-2021-34523.",
  "id": "GHSA-79w4-597w-fxxx",
  "modified": "2022-05-24T19:07:54Z",
  "published": "2022-05-24T19:07:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33768"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2021-33768

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-34470, CVE-2021-34523.

Aliases

CVE-2021-33768

Aliases

CVE-2021-33768

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-33768",
    "description": "Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-34470, CVE-2021-34523.",
    "id": "GSD-2021-33768"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-33768"
      ],
      "details": "Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-34470, CVE-2021-34523.",
      "id": "GSD-2021-33768",
      "modified": "2023-12-13T01:23:18.212566Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@microsoft.com",
        "ID": "CVE-2021-33768",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Microsoft Exchange Server 2019 Cumulative Update 9",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "15.02.0",
                          "version_value": "15.02.0858.015"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Microsoft Exchange Server 2016 Cumulative Update 20",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "15.01.0",
                          "version_value": "15.01.2242.012"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Microsoft Exchange Server 2016 Cumulative Update 21",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "15.01.0",
                          "version_value": "15.01.2308.014"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Microsoft Exchange Server 2019 Cumulative Update 10",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "15.02.0",
                          "version_value": "15.02.0922.013"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Microsoft"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Elevation of Privilege"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768",
            "refsource": "MISC",
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*",
                    "matchCriteriaId": "19C1EE0C-B8DD-4B91-BE4B-1C42D72FB718",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*",
                    "matchCriteriaId": "3BE427A4-B0C2-4064-8234-29426325C348",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*",
                    "matchCriteriaId": "B4185347-EEDD-4239-9AB3-410E2EC89D2A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*",
                    "matchCriteriaId": "71CDF29B-116B-4DE2-AFD0-B62477FF0AEB",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
          },
          {
            "lang": "es",
            "value": "Una vulnerabilidad de Elevaci\u00f3n de Privilegios en Microsoft Exchange Server. Este ID de CVE es diferente de CVE-2021-34470, CVE-2021-34523"
          }
        ],
        "id": "CVE-2021-33768",
        "lastModified": "2023-12-28T23:15:20.987",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "ADJACENT_NETWORK",
                "authentication": "SINGLE",
                "availabilityImpact": "PARTIAL",
                "baseScore": 5.2,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "PARTIAL",
                "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              },
              "exploitabilityScore": 5.1,
              "impactScore": 6.4,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.0,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.1,
              "impactScore": 5.9,
              "source": "secure@microsoft.com",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.0,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.1,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Secondary"
            }
          ]
        },
        "published": "2021-07-14T18:15:10.450",
        "references": [
          {
            "source": "secure@microsoft.com",
            "tags": [
              "Patch",
              "Vendor Advisory"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768"
          }
        ],
        "sourceIdentifier": "secure@microsoft.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "NVD-CWE-noinfo"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

WID-SEC-W-2024-1897

Vulnerability from csaf_certbund - Published: 2021-07-13 22:00 - Updated: 2024-08-21 22:00

Summary

Microsoft Exchange Server: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Microsoft Exchange Server ist das Serverprodukt für das Client-Server Groupware- und Nachrichtensystem der Firma Microsoft.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 und Microsoft Exchange Server 2019 ausnutzen, um beliebigen Programmcode auszuführen, um seine Privilegien zu erhöhen und um Informationen offenzulegen.

Betroffene Betriebssysteme: - Windows

CVE-2021-31196

In Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 und Microsoft Exchange Server 2019 existieren mehrere nicht näher beschriebene Schwachstellen. Ein Angreifer kann dies ausnutzen, um beliebigen Code auszuführen, um seine Privilegien zu erhöhen und um Informationen offenzulegen. Einige dieser Schwachstellen können von einem entfernten, anonymen Angreifer ausgenutzt werden. Die Ausnutzung einiger dieser Schwachstellen erfordert keine Nutzer-Interaktion.

Affected products

Known affected 5 products

Product	Identifier	Version
Microsoft Exchange Server 2016 Cumulative Update 20 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_20`	Cumulative Update 20
Microsoft Exchange Server 2019 Cumulative Update 8 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_8`	Cumulative Update 8
Microsoft Exchange Server 2019 Cumulative Update 9 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_9`	Cumulative Update 9
Microsoft Exchange Server 2016 Cumulative Update 19 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_19`	Cumulative Update 19
Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft / Exchange Server 2013	`cpe:/a:microsoft:exchange_server_2013::cumulative_update_23`	Cumulative Update 23

CVE-2021-31206

Affected products

Known affected 5 products

Product	Identifier	Version
Microsoft Exchange Server 2016 Cumulative Update 20 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_20`	Cumulative Update 20
Microsoft Exchange Server 2019 Cumulative Update 8 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_8`	Cumulative Update 8
Microsoft Exchange Server 2019 Cumulative Update 9 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_9`	Cumulative Update 9
Microsoft Exchange Server 2016 Cumulative Update 19 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_19`	Cumulative Update 19
Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft / Exchange Server 2013	`cpe:/a:microsoft:exchange_server_2013::cumulative_update_23`	Cumulative Update 23

CVE-2021-33766

Affected products

Known affected 5 products

Product	Identifier	Version
Microsoft Exchange Server 2016 Cumulative Update 20 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_20`	Cumulative Update 20
Microsoft Exchange Server 2019 Cumulative Update 8 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_8`	Cumulative Update 8
Microsoft Exchange Server 2019 Cumulative Update 9 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_9`	Cumulative Update 9
Microsoft Exchange Server 2016 Cumulative Update 19 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_19`	Cumulative Update 19
Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft / Exchange Server 2013	`cpe:/a:microsoft:exchange_server_2013::cumulative_update_23`	Cumulative Update 23

CVE-2021-33768

Affected products

Known affected 5 products

Product	Identifier	Version
Microsoft Exchange Server 2016 Cumulative Update 20 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_20`	Cumulative Update 20
Microsoft Exchange Server 2019 Cumulative Update 8 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_8`	Cumulative Update 8
Microsoft Exchange Server 2019 Cumulative Update 9 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_9`	Cumulative Update 9
Microsoft Exchange Server 2016 Cumulative Update 19 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_19`	Cumulative Update 19
Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft / Exchange Server 2013	`cpe:/a:microsoft:exchange_server_2013::cumulative_update_23`	Cumulative Update 23

CVE-2021-34470

Affected products

Known affected 5 products

Product	Identifier	Version
Microsoft Exchange Server 2016 Cumulative Update 20 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_20`	Cumulative Update 20
Microsoft Exchange Server 2019 Cumulative Update 8 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_8`	Cumulative Update 8
Microsoft Exchange Server 2019 Cumulative Update 9 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_9`	Cumulative Update 9
Microsoft Exchange Server 2016 Cumulative Update 19 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_19`	Cumulative Update 19
Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft / Exchange Server 2013	`cpe:/a:microsoft:exchange_server_2013::cumulative_update_23`	Cumulative Update 23

CVE-2021-34473

Affected products

Known affected 5 products

Product	Identifier	Version
Microsoft Exchange Server 2016 Cumulative Update 20 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_20`	Cumulative Update 20
Microsoft Exchange Server 2019 Cumulative Update 8 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_8`	Cumulative Update 8
Microsoft Exchange Server 2019 Cumulative Update 9 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_9`	Cumulative Update 9
Microsoft Exchange Server 2016 Cumulative Update 19 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_19`	Cumulative Update 19
Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft / Exchange Server 2013	`cpe:/a:microsoft:exchange_server_2013::cumulative_update_23`	Cumulative Update 23

CVE-2021-34523

Affected products

Known affected 5 products

Product	Identifier	Version
Microsoft Exchange Server 2016 Cumulative Update 20 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_20`	Cumulative Update 20
Microsoft Exchange Server 2019 Cumulative Update 8 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_8`	Cumulative Update 8
Microsoft Exchange Server 2019 Cumulative Update 9 Microsoft / Exchange Server 2019	`cpe:/a:microsoft:exchange_server_2019:cumulative_update_9`	Cumulative Update 9
Microsoft Exchange Server 2016 Cumulative Update 19 Microsoft / Exchange Server 2016	`cpe:/a:microsoft:exchange_server_2016:cumulative_update_19`	Cumulative Update 19
Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft / Exchange Server 2013	`cpe:/a:microsoft:exchange_server_2013::cumulative_update_23`	Cumulative Update 23

References

6 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://msrc.microsoft.com/update-guide	external
https://www.rapid7.com/blog/post/2021/08/12/proxy…	external
https://thehackernews.com/2021/08/new-microsoft-e…	external
https://www.cisa.gov/news-events/alerts/2024/08/2…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Microsoft Exchange Server ist das Serverprodukt f\u00fcr das Client-Server Groupware- und Nachrichtensystem der Firma Microsoft.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 und Microsoft Exchange Server 2019 ausnutzen, um beliebigen Programmcode auszuf\u00fchren, um seine Privilegien zu erh\u00f6hen und um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1897 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2024-1897.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1897 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1897"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2021-07-13",
        "url": "https://msrc.microsoft.com/update-guide"
      },
      {
        "category": "external",
        "summary": "Rapid7 Blog vom 2021-08-12",
        "url": "https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/"
      },
      {
        "category": "external",
        "summary": "The Hacker News vom 2021-08-30",
        "url": "https://thehackernews.com/2021/08/new-microsoft-exchange-proxytoken-flaw.html"
      },
      {
        "category": "external",
        "summary": "CISA Known Exploited Vulnerabilities Catalog vom 2024-08-21",
        "url": "https://www.cisa.gov/news-events/alerts/2024/08/21/cisa-adds-four-known-exploited-vulnerabilities-catalog"
      }
    ],
    "source_lang": "en-US",
    "title": "Microsoft Exchange Server: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-08-21T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-22T08:13:42.843+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.6"
        }
      },
      "id": "WID-SEC-W-2024-1897",
      "initial_release_date": "2021-07-13T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2021-07-13T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2021-08-08T22:00:00.000+00:00",
          "number": "2",
          "summary": "Schwachstellen auch bekannt als ProxyOracle bzw. ProxyShell"
        },
        {
          "date": "2021-08-12T22:00:00.000+00:00",
          "number": "3",
          "summary": "Aktive Ausnutzung von CVE-2021-34473 und CVE-2021-34523"
        },
        {
          "date": "2021-08-30T22:00:00.000+00:00",
          "number": "4",
          "summary": "Aktive Ausnutzung von CVE-2021-33766"
        },
        {
          "date": "2024-08-21T22:00:00.000+00:00",
          "number": "5",
          "summary": "Aktive Ausnutzung von CVE-2021-31196"
        }
      ],
      "status": "final",
      "version": "5"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Cumulative Update 23",
                "product": {
                  "name": "Microsoft Exchange Server 2013 Cumulative Update 23",
                  "product_id": "T014545",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:exchange_server_2013::cumulative_update_23"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Exchange Server 2013"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Cumulative Update 20",
                "product": {
                  "name": "Microsoft Exchange Server 2016 Cumulative Update 20",
                  "product_id": "T018854",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:exchange_server_2016:cumulative_update_20"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Cumulative Update 19",
                "product": {
                  "name": "Microsoft Exchange Server 2016 Cumulative Update 19",
                  "product_id": "T019778",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:exchange_server_2016:cumulative_update_19"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Exchange Server 2016"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Cumulative Update 9",
                "product": {
                  "name": "Microsoft Exchange Server 2019 Cumulative Update 9",
                  "product_id": "T018855",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:exchange_server_2019:cumulative_update_9"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Cumulative Update 8",
                "product": {
                  "name": "Microsoft Exchange Server 2019 Cumulative Update 8",
                  "product_id": "T019779",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:exchange_server_2019:cumulative_update_8"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Exchange Server 2019"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-31196",
      "notes": [
        {
          "category": "description",
          "text": "In Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 und Microsoft Exchange Server 2019 existieren mehrere nicht n\u00e4her beschriebene Schwachstellen. Ein Angreifer kann dies ausnutzen, um beliebigen Code auszuf\u00fchren, um seine Privilegien zu erh\u00f6hen und um Informationen offenzulegen. Einige dieser Schwachstellen k\u00f6nnen von einem entfernten, anonymen Angreifer ausgenutzt werden. Die Ausnutzung einiger dieser Schwachstellen erfordert keine Nutzer-Interaktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018854",
          "T019779",
          "T018855",
          "T019778",
          "T014545"
        ]
      },
      "release_date": "2021-07-13T22:00:00.000+00:00",
      "title": "CVE-2021-31196"
    },
    {
      "cve": "CVE-2021-31206",
      "notes": [
        {
          "category": "description",
          "text": "In Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 und Microsoft Exchange Server 2019 existieren mehrere nicht n\u00e4her beschriebene Schwachstellen. Ein Angreifer kann dies ausnutzen, um beliebigen Code auszuf\u00fchren, um seine Privilegien zu erh\u00f6hen und um Informationen offenzulegen. Einige dieser Schwachstellen k\u00f6nnen von einem entfernten, anonymen Angreifer ausgenutzt werden. Die Ausnutzung einiger dieser Schwachstellen erfordert keine Nutzer-Interaktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018854",
          "T019779",
          "T018855",
          "T019778",
          "T014545"
        ]
      },
      "release_date": "2021-07-13T22:00:00.000+00:00",
      "title": "CVE-2021-31206"
    },
    {
      "cve": "CVE-2021-33766",
      "notes": [
        {
          "category": "description",
          "text": "In Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 und Microsoft Exchange Server 2019 existieren mehrere nicht n\u00e4her beschriebene Schwachstellen. Ein Angreifer kann dies ausnutzen, um beliebigen Code auszuf\u00fchren, um seine Privilegien zu erh\u00f6hen und um Informationen offenzulegen. Einige dieser Schwachstellen k\u00f6nnen von einem entfernten, anonymen Angreifer ausgenutzt werden. Die Ausnutzung einiger dieser Schwachstellen erfordert keine Nutzer-Interaktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018854",
          "T019779",
          "T018855",
          "T019778",
          "T014545"
        ]
      },
      "release_date": "2021-07-13T22:00:00.000+00:00",
      "title": "CVE-2021-33766"
    },
    {
      "cve": "CVE-2021-33768",
      "notes": [
        {
          "category": "description",
          "text": "In Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 und Microsoft Exchange Server 2019 existieren mehrere nicht n\u00e4her beschriebene Schwachstellen. Ein Angreifer kann dies ausnutzen, um beliebigen Code auszuf\u00fchren, um seine Privilegien zu erh\u00f6hen und um Informationen offenzulegen. Einige dieser Schwachstellen k\u00f6nnen von einem entfernten, anonymen Angreifer ausgenutzt werden. Die Ausnutzung einiger dieser Schwachstellen erfordert keine Nutzer-Interaktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018854",
          "T019779",
          "T018855",
          "T019778",
          "T014545"
        ]
      },
      "release_date": "2021-07-13T22:00:00.000+00:00",
      "title": "CVE-2021-33768"
    },
    {
      "cve": "CVE-2021-34470",
      "notes": [
        {
          "category": "description",
          "text": "In Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 und Microsoft Exchange Server 2019 existieren mehrere nicht n\u00e4her beschriebene Schwachstellen. Ein Angreifer kann dies ausnutzen, um beliebigen Code auszuf\u00fchren, um seine Privilegien zu erh\u00f6hen und um Informationen offenzulegen. Einige dieser Schwachstellen k\u00f6nnen von einem entfernten, anonymen Angreifer ausgenutzt werden. Die Ausnutzung einiger dieser Schwachstellen erfordert keine Nutzer-Interaktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018854",
          "T019779",
          "T018855",
          "T019778",
          "T014545"
        ]
      },
      "release_date": "2021-07-13T22:00:00.000+00:00",
      "title": "CVE-2021-34470"
    },
    {
      "cve": "CVE-2021-34473",
      "notes": [
        {
          "category": "description",
          "text": "In Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 und Microsoft Exchange Server 2019 existieren mehrere nicht n\u00e4her beschriebene Schwachstellen. Ein Angreifer kann dies ausnutzen, um beliebigen Code auszuf\u00fchren, um seine Privilegien zu erh\u00f6hen und um Informationen offenzulegen. Einige dieser Schwachstellen k\u00f6nnen von einem entfernten, anonymen Angreifer ausgenutzt werden. Die Ausnutzung einiger dieser Schwachstellen erfordert keine Nutzer-Interaktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018854",
          "T019779",
          "T018855",
          "T019778",
          "T014545"
        ]
      },
      "release_date": "2021-07-13T22:00:00.000+00:00",
      "title": "CVE-2021-34473"
    },
    {
      "cve": "CVE-2021-34523",
      "notes": [
        {
          "category": "description",
          "text": "In Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 und Microsoft Exchange Server 2019 existieren mehrere nicht n\u00e4her beschriebene Schwachstellen. Ein Angreifer kann dies ausnutzen, um beliebigen Code auszuf\u00fchren, um seine Privilegien zu erh\u00f6hen und um Informationen offenzulegen. Einige dieser Schwachstellen k\u00f6nnen von einem entfernten, anonymen Angreifer ausgenutzt werden. Die Ausnutzung einiger dieser Schwachstellen erfordert keine Nutzer-Interaktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018854",
          "T019779",
          "T018855",
          "T019778",
          "T014545"
        ]
      },
      "release_date": "2021-07-13T22:00:00.000+00:00",
      "title": "CVE-2021-34523"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-33768 (GCVE-0-2021-33768)

BDU:2022-00600

CERTFR-2021-AVI-522

Solution

FKIE_CVE-2021-33768

GHSA-79W4-597W-FXXX

GSD-2021-33768

WID-SEC-W-2024-1897

Tags

Sightings

Nomenclature