PatchSiren cyber security CVE debrief

CVE-2016-6190 Inverse Inc CVE debrief

CVE-2016-6190 describes an information disclosure issue in SOGo calendar access control. Before SOGo 2.3.12 and 3.x before 3.1.1, authenticated users could access UID and DTSTAMP attributes even when appointments were protected by the "View the Date & Time" restriction. By correlating those values across users, an attacker could infer sensitive details about appointments that should have remained partially hidden. NVD assigns this a medium-severity, network-reachable confidentiality issue with no integrity or availability impact.

Vendor: Inverse Inc
Product: CVE-2016-6190
CVSS: MEDIUM 4.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-17
Original CVE updated: 2026-05-13
Advisory published: 2017-02-17
Advisory updated: 2026-05-13

Who should care

SOGo administrators, email/calendar service operators, and security teams responsible for authenticated collaboration platforms should care most. Organizations using SOGo calendar privacy controls, especially the "View the Date & Time" restriction, should verify they are on fixed releases and review whether any historical metadata exposure matters to their users.

Technical summary

The flaw is an access-control failure on calendar object metadata. The application did not sufficiently restrict access to UID and DTSTAMP fields for protected appointments, so authenticated users could enumerate or correlate those attributes and derive information about events beyond the intended privacy boundary. The weakness is classified by NVD as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Defensive priority

Medium

Recommended defensive actions

Upgrade SOGo to a fixed release: 2.3.12 or later, or 3.1.1 or later.
Review calendar privacy settings and confirm the intended restriction model is enforced for sensitive appointments.
Audit logs and user reports for unexpected access to calendar metadata, especially in environments that relied on "View the Date & Time" controls.
If exposure is suspected, assess whether users could correlate UIDs and DTSTAMPs across calendars and whether any business-sensitive scheduling information may have been inferred.
Track the linked vendor advisory and patch commits to confirm the remediation applied in your deployment lineage.

Evidence notes

The supplied CVE description states that SOGo before 2.3.12 and 3.x before 3.1.1 exposed UID and DTSTAMP attributes to remote authenticated users, allowing correlation of appointment metadata despite the "View the Date & Time" restriction. NVD lists the issue as published on 2017-02-17 and modified on 2026-05-13, with source references including an oss-security mailing list post dated 2016-07-09, two vendor patch commits, and a vendor advisory. The provided CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (4.3).

Official resources

CVE-2016-6190 CVE record
CVE.org
CVE-2016-6190 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Mailing List, VDB Entry
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed in the oss-security mailing list reference dated 2016-07-09, with the CVE published by 2017-02-17. The supplied corpus does not indicate known exploitation in the wild or KEV inclusion.