CVE-2018-0924

Name of the Vulnerable Software and Affected Versions: Microsoft Exchange Server 2010 version 14.3.452.0 (Service Pack 3 Update Rollup 20) Microsoft Exchange Server 2013 versions 15.0.1395.4 through 15.0.1473.3 Microsoft Exchange Server 2016 versions 15.1.1034.26 through 15.1.1068.10

Description: An information disclosure issue exists due to how URL redirects are handled. This could allow an attacker to discover sensitive information, such as the URL of the user's Outlook Web Access (OWA) service, if the impacted user is using Microsoft Exchange Outlook Web Access (OWA) Light.

Recommendations: For Microsoft Exchange Server 2010 version 14.3.452.0, update to a newer version to mitigate the risk. For Microsoft Exchange Server 2013 versions 15.0.1395.4 through 15.0.1473.3, update to a newer version to mitigate the risk. For Microsoft Exchange Server 2016 versions 15.1.1034.26 through 15.1.1068.10, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the OWA Light service until a patch is available.