Details of VAR-200109-0011

ID

VAR-200109-0011

CVE

CVE-2001-1099

TITLE

Microsoft Exchange Code problem vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200109-019

DESCRIPTION

The default configuration of Norton AntiVirus for Microsoft Exchange 2000 2.x allows remote attackers to identify the recipient's INBOX file path by sending an email with an attachment containing malicious content, which includes the path in the rejection notice. A problem exists in Microsoft Exchange 2000 when running with Norton AntiVirus for Microsoft Exchange. A host running this combination of software can be tricked into disclosing mail directory paths to an attacker. Message attachments sent to an affected host will be scanned for malicious content by Norton AntiVirus for Microsoft Exchange. Upon rejection, the message will be bounced back to the sender with notification of why the message was rejected. When this happens, the path to the intended recipient's INBOX is sent in the message header of the rejection notification. The expected behavior is that the header in the returned message will only contain the destination address of the user and not the path of the user's INBOX. This can be exploited by an attacker who intentionally crafts a message to a user on the host which contains an attachment which will be rejected by the host

Trust: 1.26

sources: NVD: CVE-2001-1099 // BID: 3305 // VULHUB: VHN-3904

AFFECTED PRODUCTS

vendor:	symantec	model:	norton antivirus	scope:	eq	version:	2.5	Trust: 1.6
vendor:	symantec	model:	norton antivirus for ms exchange	scope:	eq	version:	2.5	Trust: 0.3

sources: BID: 3305 // CNNVD: CNNVD-200109-019 // NVD: CVE-2001-1099

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2001-1099
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-200109-019
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-3904
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2001-1099
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-3904
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-3904 // CNNVD: CNNVD-200109-019 // NVD: CVE-2001-1099

PROBLEMTYPE DATA

problemtype:

CWE-434

Trust: 1.1

sources: VULHUB: VHN-3904 // NVD: CVE-2001-1099

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200109-019

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-200109-019

EXTERNAL IDS

db:	BID	id:	3305	Trust: 2.0
db:	NVD	id:	CVE-2001-1099	Trust: 1.7
db:	CNNVD	id:	CNNVD-200109-019	Trust: 0.6
db:	VULHUB	id:	VHN-3904	Trust: 0.1

sources: VULHUB: VHN-3904 // BID: 3305 // CNNVD: CNNVD-200109-019 // NVD: CVE-2001-1099

REFERENCES

url:	http://www.securityfocus.com/bid/3305	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/212724	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/213762	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/7093	Trust: 1.7

sources: VULHUB: VHN-3904 // CNNVD: CNNVD-200109-019 // NVD: CVE-2001-1099

CREDITS

This vulnerability was submitted to BugTraq on September 7th, 2001 by Matthias Andree <matthias.andree@gmx.de>.

Trust: 0.3

sources: BID: 3305

SOURCES

db:	VULHUB	id:	VHN-3904
db:	BID	id:	3305
db:	CNNVD	id:	CNNVD-200109-019
db:	NVD	id:	CVE-2001-1099

LAST UPDATE DATE

2024-08-14T14:09:11.411000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-3904	date:	2020-04-02T00:00:00
db:	BID	id:	3305	date:	2001-09-07T00:00:00
db:	CNNVD	id:	CNNVD-200109-019	date:	2020-04-14T00:00:00
db:	NVD	id:	CVE-2001-1099	date:	2020-04-02T12:51:15.037

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-3904	date:	2001-09-07T00:00:00
db:	BID	id:	3305	date:	2001-09-07T00:00:00
db:	CNNVD	id:	CNNVD-200109-019	date:	2001-09-07T00:00:00
db:	NVD	id:	CVE-2001-1099	date:	2001-09-07T04:00:00