Executive Summary
Summary | |
---|---|
Title | Microsoft Outlook Web Access may not use the no-store HTTP directive |
Informations | |||
---|---|---|---|
Name | VU#829876 | First vendor Publication | 2008-05-09 |
Vendor | VU-CERT | Last vendor Modification | 2008-05-09 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:M/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 1.9 | Attack Range | Local |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 3.4 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#829876Microsoft Outlook Web Access may not use the no-store HTTP directiveOverviewSome versions of Outlook Web Access (OWA) may use the no-cache instead of the no-store HTTP 1.1 directive. This results in web browsers caching sensitive information.I. DescriptionSome versions of Outlook Web Access may use the Cache-Control: no-cache HTTP 1.1 directive.From RFC 2616:
If the no-cache directive does specify one or more field-names, then a cache MAY use the response to satisfy a subsequent request, subject to any other restrictions on caching. However, the specified field-name(s) MUST NOT be sent in the response to a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent the re-use of certain header fields in a response, while still allowing caching of the rest of the response. II. ImpactSensitive information that is viewed during an Outlook Web Access session may be stored to disk.III. SolutionWe are unware of a solution for this problem.Clear browser caches
Systems Affected
References
Thanks to Bill Knox from MITRE reporting this vulnerability. This document was written by Ryan Giobbi.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/829876 |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
45218 | Microsoft Outlook Web Access Cache-Control Directive Information Caching Pers... |