FIX: Mailboxes can be accessed if the DefaultNetworkCredentials option is selected when you use EWS Managed API to connect to Exchange Server

Symptoms
You use Exchange Web Services (EWS) Managed API to connect to a coexistence environment of Microsoft Exchange Server 2013 and Microsoft Exchange Server 2010. If you have the DefaultNetworkCredentials option selected, you can access others people's mailboxes and read the message content in those mailboxes.
Cause
This issue occurs when the initial token in the SOAP envelope is ignored during EWS proxy. In this situation, the token is not processed by using permission checking.
Resolution
To fix this issue, install Update Rollup 12 for Exchange Server 2010 Service Pack 3.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology that Microsoft uses to describe software updates.
Properties

Article ID: 3115809 - Last Review: 12/15/2015 17:03:00 - Revision: 1.0

Microsoft Exchange Server 2010 Coexistence, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard

  • kbqfe kbsurveynew kbfix kbexpertiseinter KB3115809
Feedback