CVE-2016-6189 Alinto CVE debrief

Who should care

Administrators and security teams running SOGo deployments, especially instances that expose calendar feeds to authenticated users and may still be on versions earlier than 2.3.12 or 3.1.1.

Technical summary

The vulnerability affects SOGo before 2.3.12 and 3.x before 3.1.1. According to the NVD description, an incomplete blacklist allows remote authenticated users to obtain sensitive information by reading fields in ICS or XML calendar feeds. The published CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network reachability, low attack complexity, required low privileges, no user interaction, and confidentiality impact only.

Defensive priority

Medium. The issue is limited to authenticated users and confidentiality impact, but it can still expose sensitive calendar data in deployed SOGo services.

Recommended defensive actions

• Upgrade SOGo to 2.3.12 or later, or to 3.1.1 or later for 3.x deployments.
• Inventory all SOGo instances and confirm no affected version remains in production or test environments.
• Review which calendar feed fields are exposed to authenticated users and validate that sensitive data is not present in ICS or XML outputs.
• Restrict calendar feed access to the minimum necessary authenticated users and roles.
• Use vendor guidance and patches referenced in the public advisory trail to verify the fix is present in your build.

Evidence notes

The NVD record describes the flaw as an incomplete blacklist leading to sensitive information exposure through ICS or XML calendar feeds. The record lists affected version ranges as before 2.3.12 and 3.x before 3.1.1. Public references include a July 9, 2016 oss-security mailing list entry, two GitHub patch commits, and a SOGo bug tracker/vendor advisory page. No KEV listing is provided in the supplied corpus.

Official resources