ID CVE-2009-0098
Summary Microsoft Exchange 2000 Server SP3, Exchange Server 2003 SP2, and Exchange Server 2007 SP1 do not properly interpret Transport Neutral Encapsulation (TNEF) properties, which allows remote attackers to execute arbitrary code via a crafted TNEF message, aka "Memory Corruption Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:exchange_server:2000:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:exchange_server:2000:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2003:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:exchange_server:2003:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2007:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:exchange_server:2007:sp1:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 12-10-2018 - 21:49)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
oval via4
accepted 2014-06-23T04:07:47.483-04:00
class vulnerability
contributors
  • name Dragos Prisaca
    organization Gideon Technologies, Inc.
  • name Dragos Prisaca
    organization Gideon Technologies, Inc.
  • name Todd Dolinsky
    organization Hewlett-Packard
  • name Todd Dolinsky
    organization Hewlett-Packard
  • name Jonathan Baker
    organization The MITRE Corporation
  • name Shane Shaffer
    organization G2, Inc.
  • name Maria Kedovskaya
    organization ALTX-SOFT
  • name Jerome Athias
    organization McAfee, Inc.
definition_extensions
  • comment Microsoft Exchange Server 2000 Service Pack 3 is installed
    oval oval:org.mitre.oval:def:1858
  • comment Microsoft Exchange Server 2003 Service Pack 2 is installed
    oval oval:org.mitre.oval:def:1869
  • comment Microsoft Exchange Server 2007 SP1 is installed
    oval oval:org.mitre.oval:def:5577
description Microsoft Exchange 2000 Server SP3, Exchange Server 2003 SP2, and Exchange Server 2007 SP1 do not properly interpret Transport Neutral Encapsulation (TNEF) properties, which allows remote attackers to execute arbitrary code via a crafted TNEF message, aka "Memory Corruption Vulnerability."
family windows
id oval:org.mitre.oval:def:6114
status accepted
submitted 2009-02-10T16:00:00
title Memory Corruption Vulnerability
version 16
refmap via4
cert TA09-041A
ms MS09-003
osvdb 51837
secunia 33838
Last major update 12-10-2018 - 21:49
Published 10-02-2009 - 22:30
Back to Top