Vulnerability Description
Microsoft Exchange 2003 and Outlook Web Access (OWA), when configured to use NTLM authentication, does not properly reuse HTTP connections, which can cause OWA users to view mailboxes of other users when Kerberos has been disabled as an authentication method for IIS 6.0, e.g. when SharePoint Services 2.0 is installed.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Exchange Server | 2003 |
| Microsoft | Sharepoint Services | 2.0 |
| Microsoft | Windows Server 2003 | All versions |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/10615Third Party Advisory
- http://www.kb.cert.org/vuls/id/530660Third Party AdvisoryUS Government Resource
- http://www.microsoft.com/exchange/support/e2k3owa.aspPatchVendor Advisory
- http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0311&L=ntbugtraq&F=P&S=&Third Party Advisory
- http://www.securityfocus.com/bid/9118Third Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/9409Third Party AdvisoryVDB Entry
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-00PatchVendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/13869Third Party AdvisoryVDB Entry
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Third Party Advisory
- http://secunia.com/advisories/10615Third Party Advisory
- http://www.kb.cert.org/vuls/id/530660Third Party AdvisoryUS Government Resource
- http://www.microsoft.com/exchange/support/e2k3owa.aspPatchVendor Advisory
- http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0311&L=ntbugtraq&F=P&S=&Third Party Advisory
- http://www.securityfocus.com/bid/9118Third Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/9409Third Party AdvisoryVDB Entry
FAQ
What is CVE-2003-0904?
CVE-2003-0904 is a vulnerability with a CVSS score of 6.0 (MEDIUM). Microsoft Exchange 2003 and Outlook Web Access (OWA), when configured to use NTLM authentication, does not properly reuse HTTP connections, which can cause OWA users to view mailboxes of other users w...
How severe is CVE-2003-0904?
CVE-2003-0904 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2003-0904?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Exchange Server, Microsoft Sharepoint Services, Microsoft Windows Server 2003.